ISO 24762:2008

ISO 24762:2008

iso 24762:2008

ISO 24762 was introduced in 2008 to describe a general framework for Information and Communications Technology Disaster Recovery (ICT DR).

This standard provides a detailed description of all disaster recovery vendor requirements. This standard was introduced in 2008 specifically to address the IT disaster recovery services provided by third party businesses. It can also be applied to in-house solutions.

This is a multi-layer standard:

    1. Foundational Layer:
      • Policies
      • Performance Measurement
      • Processes
      • People

2. Supporting Infrastructure

3. Services Capability

4. Continuous Improvement

ISO 24762 is an exhaustive ICT DR framework with the following main clauses.

CLAUSES

1) ICT Disaster Recovery

A set of best practices are delineated for both in house and external, third party ICT DR services. These norms cover the following areas.

  • Environmental Stability – Strikes, demonstrations, riots, crimes, natural disasters, pandemics and similar factors all affect a site’s environmental stability.
  • Asset Management – This includes asset protection through inventory listing and storage, and the relevant documentation.
  • Proximity of Site – Site selection strategies are employed in order to choose a location for the business unit that is well insulated from various hazards.
  • Vendor Management – Staff, services, supplies and solutions provided by a company’s vendors can be impacted during an emergency. This in turn affects a business processes’ timeframes, targets and delivery deadlines.
  • Outsourcing Arrangements – The limited extent of control an organization can exert while outsourcing tasks and processes is countered through stringent controls, contractual agreements, periodic reviews and measures to increase awareness.
  • Information Security – ICT systems are grouped together in different physical locations based on their different protection requirements during crisis situations. Also, the various components of all IT security related incidents (Detection, Notification, Response and Effectiveness Analysis) are periodically assessed.
  • Activation and deactivation of disaster recovery plan – Plans and procedures are established to identify when a disaster recovery plan should be activated and when recovery measures can be stopped.
  • Training and Education – Knowledge transfer plays a big role in raising awareness amongst staff and personnel. This also involves periodic reviews to assess the relevancy of the training modules.
  • Testing on ICT systems Business continuity capabilities of ICT systems are rigorously tested during changes in organization requirements or expansion of business operations.
  • Business continuity planning for ICT DR service providers – Priorities, timeframes, minimum requirements and logistics are strategized and tested for effectiveness to minimize impact on service providers.
  • Documentation and periodic review – All DR measures are constantly archived and referred to. This allows for periodic updates and enhancements.

2) ICT Disaster Recovery Facilities

Business operations recovery is ensured by locating recovery units in risk free zones with little to no risks and vulnerabilities. In the case of multiple recovery sites, ICT DR providers must ensure that security and safety measures are consistent across sites.

  • Location of recovery sites – Recovery site locations are decided based on factors such as vulnerability to natural hazards, extreme weather incidents, availability of infrastructure, proximity of various such as public transport, medical institutions, amenities like water, gas, electricity and so on.
  • Physical access controls – Security categorization, entry-exit norms, conduct protocols and other restrictions are established for various departments while at the recovery sites.
  • Physical facility security – Recovery sites are protected from unauthorized access and other security breaches through regular inspections, constant surveillance, detection and alarm systems, personnel control through visible identification such as badges/ID cards, and management from a central location.
  • Dedicated areas – Provisions are made for dedicated areas for executing recovery measures such as assembly, holding, staging and other activities.
  • Environmental controls – Temperature, ventilation, humidity, vibration, noise and other environmental factors at the recovery site are addressed. controls, contractual agreements, periodic reviews and measures to increase awareness.
  • Telecommunications – Information sharing capabilities are established by ensuring connectivity, data security, network diversity, reliability and quality standards.
  • Power supply – A continuous and stable supply of electricity is vital for operations to continue without disruptions. This is achieved by identifying reliable service providers, establishing alternate sources of power supply such as generators, uninterrupted power supply (UPS) facilities and so on.
  • Cable management – Power supply and electronics related cables are provided adequate protection and shielding to avoid interruption and loss of information. Trays and ducts are reviewed on a regular basis for damage, tampering and other vulnerabilities.
  • Fire protection – This includes adhering to regulatory compliance norms, establishing fire escape plans and installing equipment such as fire extinguishers, escape routes and so on.
  • Emergency operations center (EOC) – Maintaining communication between business units and external entities is achieved through adequate supply of equipment, telecommunications related infrastructure, office stationery, physical facilities such as meeting areas and so on.
  • Restricted facilities – Access to various areas in the recovery site is restricted based on designation and purpose.
  • Non-recovery amenities – Measures are taken to cater to the well being and safety of the staff present at the premises during emergencies.
  • Physical facilities and support equipment life cycle – Physical facilities and support equipment are managed through adherence to compliance requirements and best practices throughout the asset’s useful life period to ensure uninterrupted access for business activity.
  • Testing – Physical facilities and equipment are kept up to date through regular maintenance and testing to ensure optimum quality.

3) Outsourced Service Provider's Capability

Service provider liability ensures that outsourced tasks and operations are provided by vendors with the basic service capabilities. This includes skilled personnel with the necessary qualifications and experience who execute DR plans that are regularly audited and updated.

  • Review organization disaster recovery status – Organizations ensure that they have a quality DR solution in place.
  • Facilities requirements – Service providers ensure that all requirements listed as per the ICT disaster recovery clause are adequately met.
  • Expertise – Service provider capability is highlighted through staff expertise and experience to provide quality solutions.
  • Logical access control – Outsourced service providers that provide operational support need to establish their credentials for handling recovery site computer systems.
  • ICT equipment and operation readiness – Computing equipment and related infrastructure are installed, operational and well maintained for optimal performance.
  • Simultaneous recovery support – Service providers need to ensure they can meet their contractual obligations despite many clients activating their DR services simultaneously.
  • Levels of service – Organizations can decide on the scope of the services solicited based on the criticality of their needs.
  • Types of Service – Organizations can decide on the range of the services solicited based on the complexity of the recovery measures.
  • Proximity of services – Service providers ensure they have the capabilities to address the recovery needs of multiple clients facing the same business disruption.
  • Subscription ratio for shared services – Service providers should keep the number of organizations subscribing to their services at an optimal number to ensure that a high quality service is always rendered.
  • Activation of subscribed services – The terms and conditions for activating and deactivating subscribed service are clearly defined.
  • Organization testing – This allows organizations to periodically test the disaster recovery services that they have subscribed to.
  • Changes in capability – Service providers should ensure that improvements in their capabilities due to investments, technological advancements and so on does not affect
  • Emergency response plan – Service providers themselves need to guard against unplanned emergencies that can hamper the solutions they provide to their clients.
  • Self assessment – Identified assessment areas are subject to extensive internal audits and comprehensive tests to ensure that solutions stay current and up to date.

4) Selection of recovery sites

Norms are established for the selection of good infrastructure where skilled manpower is readily available. This includes favorable socioeconomic conditions in the recovery site location. This is determined by the availability of infrastructure, skilled manpower and support, critical mass of vendors and suppliers, local service providers’ track records and proactive support from local community.

5) Continuous Improvement

Existing processes are constantly upgraded with the latest technology and trends depending on the demands and driving factors in the industry.

  • ICT DR trends
  • Performance measurement
  • Scalability
  • Risk Mitigation
Free DR Template
close slider

    Please prove you are human by selecting the Key.