The transitioning process from ISO/IEC 27001:2013 to ISO/IEC 2....
ISO 24762 Information Technology – Security Techniques Guidelines for Information and Communications Technology Disaster Recovery Services
Introduction
Disasters, regardless of the type, can happen anywhere and anytime. It’s almost impossible to avoid disasters, but the most that organizations can do is having an appropriate Disaster Recovery plan.
Planning for Disaster Recovery is the key aspect that differentiates organizations that can manage the crises with minimal cost and effort, and maximum speed; and those that are willing to pay whatever cost for their recovery and that are enforced to make decision out of desperation.
There are two main categories of disasters:
- Natural disasters (earthquakes, floods, hurricanes, tornadoes, etc.)
- Made disasters (infrastructure failure, bio-terrorism, hazardous material spills, etc.)
ISO 24762 was created to define what third-party organizations should be offering, in terms of ICT, Disaster Recovery services. The standard serves as a framework for companies like hot site firms, cold site firms, managed services firms, collocation service providers, and alternate work space providers. It covers a broad range of issues that vendors should address to ensure their service offerings are protected. These include building construction, security measures, provision of infrastructure services such as power, water and telecommunications, and environmental controls.
An overview of ISO 24762
ISO 24762 provides guidelines for the ICT DR services, which include both those provided in-house and outsourced. It covers facility and service capabilities, and provides fallback and recovery support to an organization’s ICT systems.
The guidelines are applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services in varying degrees. ICT DR service providers should interpret the intent of these guidelines within the context of the services they offer.
It does not:
- Provide guidance on business continuity management as a whole for organizations
- Take precedence over any laws and regulations
- Have any legal power over the Service Level Agreements included in negotiated contracts between organizations and service providers
- Address requirements, legal or otherwise, governing normal business operations to be adhered to by service providers
- Provide an exhaustive list
And it applies to:
- All organizations requiring the ICT DR services as part of their business
- ICT DR service providers in their provision of ICT DR services
- Communities of organizations with reciprocal or mutual arrangements
ICT DR service provision framework
ISO 24762 is based on a multi-tier framework which includes different elements in the ICT DR service provision. The “foundation” layer comprises the important aspects of ICT DR services, namely Policies, Performance Measurement, Processes and People. It helps define the supporting infrastructure and services capability. Meanwhile the “continuous improvement” layer emphasizes practices that help to improve ICT DR activities in specific areas, and represents an additional level of provision to the services provided
Key clause of ISO 24762
ISO 24762 is organized into the following clauses:
Clause 5: ICT Disaster Recovery
Clause 6: ICT Disaster Recovery facilities
Clause 7: Outsourced service provider’s capability
Clause 8: Selection of recovery sites
Clause 9: Continuous Improvement
Each of these key activities is listed below.
Clause 5: ICT disaster recovery
ICT DR service provision, irrespective of whether it is provided in-house or outsourced, should follow best practice guidelines as outlined in this clause. If the guidelines are followed, there will be assurance that the ICT DR services have been implemented after due consideration of unforeseen events that could affect the ability to fulfill service obligations, and related risk mitigation via prior arrangement with other service providers in the industry.
Clause 6: ICT disaster recovery facilities
In order to provide secure physical operating environments to facilitate organization recovery efforts, ICT DR service providers need to fulfill some basic requirements. Besides covering basic physical facility requirements, requirements for environmental controls, telecommunications, continuous power supply and non-recovery amenities such as parking and accessibility to food and drinks also need to be considered. Those who have multiple recovery sites, the guidance should be equally applied to each and every site.
Clause 7: Outsourced service provider's capability
Outsourced ICT DR Service providers should provide the basic service capabilities required by organizations. This include having a qualified staff, the capacity to support simultaneous invocations of DR plans by different organizations, all capabilities and services offered to organizations audited on a regular basis, and their own fully documented and tested business continuity, including Disaster Recovery, and plans in place.
Clause 8: Selection of recovery sites
This clause provides guidance for:
- Organizations that are in process of selecting an external recovery site as part of their ICT DR practices;
- ICT DR Service providers who are in the process of building (additional) recovery sites to expand their operations.
Clause 9: Continuous improvement
Service providers should continuously improve their service through the following:
- Tracking ICT DR trends
- Performance measurement
- Scalability planning
- Continuous risk mitigation
Link with ISO 22301
DRP (Disaster Recovery Plan) is one of many required plans and analysis to conduct a full BCP (Business Continuity Plan). ISO 24762 focuses on recovering operations during and after the loss, meanwhile ISO 22301 on processes in preparation for handling a disaster.
ICT Disaster recovery - the business benefits
As with all major undertakings within an organization, it is essential to gain the backing and sponsorship of the executive management. By far the best way to achieve this is to illustrate the positive gains of having an effective Disaster Recovery plan in place, rather than through highlighting the negative aspects of the contrary.
The adaption of an effective Disaster Recovery plan within an organization will have benefits in a number of areas, examples of which include:
- Providing a sense of security
- Providing a standard for testing the plan
- Reducing risk of delays
- Reducing decision-making during disaster
- Reducing potential legal liabilities
- Assuring the reliability of standby systems
- Lowering unnecessarily stressful work environment
Training and certification of professionals
PECB has created a recommended training roadmap and personnel certification scheme for implementers of an organization that wishes to get certified against ISO 24762. Certification of individuals serves as a documented evidence of professional competencies and experience for/of those individuals that attended the related course and exam.
It serves to demonstrate that the certified professional holds defined competencies based on best practices. It also allows organizations make an informed selection of employees or services based on the competencies that are represented by the certification designation. Finally, it provides incentives to the professional to constantly improve their skills and knowledge, and serves as a tool for employers to ensure that training and awareness have been effective.
PECB training courses are offered globally through our network of authorized training providers and they’re available in several languages. The table below gives a short description about PECB’s official training course for ICT Disaster Recovery based on ISO 24762.
Choosing the right certification
The certified ISO 24762 Disaster Recovery Manager credential is a professional certification for professional needing to demonstrate the competence to implement, maintain and manage ICT Disaster Recovery services according to ISO 24762.
Principal Authors:
Eric LACHAPELLE, PECB
Besnik HUNDOZI, PECB
