The new Standard ISO/IEC 24762:2008, Information technology ¡V Security techniques ¡V Guidelines for information and communications technology disaster recovery services is described by the ISO as supporting the operation of an information security management system (ISMS) by addressing the information security and availability aspects of business continuity management in time of crisis. The standard also offers IT lawyers a possible shorthand for a range of contractual requirements.
According to ISO/IEC 24762:2008, business continuity management is an integral part of any holistic risk management process and involves:
„X identifying potential threats that may cause adverse impacts on an organization¡¦s business operations, and associated risks
„X providing a framework for building resilience for business operations
„X providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.
With this new standard, say the ISO, organizations will be able to build resilience into their information and communications technology (ICT) infrastructure critical to their key business activities. This will complement their business continuity management initiative (to better manage relevant risks possibly interrupting their business activities) and their information security management initiative (to effectively protect the confidentiality, integrity and availability of information).
Mr Philip Sy, project editor of ISO/IEC 24762:2008, commented: ¡§This next generation standard takes into account today¡¦s technological developments to minimize damage in a crisis situation from an information security and communication standpoint. The fallback arrangements included in the standard will help out both during periods of minor outages and, more importantly, will play an essential role in ensuring information and service availability during a disaster or failure, and for a long-term complete recovery of activities. This is particularly important today as organizations around the world are increasingly vulnerable to threats of terrorism, natural disasters, piracy and other crises.
The standard includes guidelines on the implementation, testing and execution aspects of disaster recovery, and can be applicable to both in-house and outsourced ICT DR service providers of physical facilities and services. It provides guidance on:
„X implementing, operating, monitoring and maintaining the necessary facilities and services necessary for disaster recovery (such as the implementation of a public announcement system to alert personnel to leave a building, or the requirement that all electronic doors can be opened manually from the inside)
„X fallback and recovery support for the organization¡¦s ICT systems
„X the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate the organizations’ recovery efforts
„X the selection of a recovery site (e.g. considering factors such as environmental stability, good infrastructure, etc.), and
„X requirements for ICT DR service providers to continuously improve their ICT DR services.
ISO/IEC 24762:2008 is an initiative of ISO and the International Electrotechnical Commission (IEC) developed within the joint technical committee ISO/IEC JTC1, Information technology, subcommittee SC 27, IT Security techniques.
For more on the new standard, click here.