ISO 24762:2008ISO 24762:2008Guidelines for ICT Guidelines for ICT disaster recovery servicesdisaster recovery services呂敏誠 Louis Lu Louis.lu@sgs.com

22008-03-31

AimAim

Aiding the operation of an Information Security Management System (ISMS) by providing guidance on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management.

32008-03-31

Business Continuity strategic and tactical capability of the organization to

plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. (Source: BS 25999-2)

Disaster Recovery Total loss of a computing environment from supporting

the business. Recovery of the computing environment from an error or major site failure.

Subset of Business Continuity.

42008-03-31

BCMBCM

SAS-70A

S_NZS

4360

CobIT

ISO

2700

1

Basel II

ISO20000

ISO

2239

9

ISO

2703

1PAS77ISO24762

SS507

NFPA

1600

52008-03-31

ISO 24762:2008 ICT DR Services

5. ICT disaster recovery 6. ICT disaster recovery facilities

7. Outsourcing service provider’s capability

8. Selection of recovery sites

9. Continuous Improvement

ISO 27002:2005 Control Objective 14.1

62008-03-31

BCM

ISO 27002ISO 27002Control 14.1Control 14.1

Information ContinuityInformation Continuitymanagementmanagement

ISO 24762ICT DR Services

Telecom

PowerSupply

DR siteAssetMgmt

FireProtection

VendorMgmt Logical

AccessControl

DR plan

PhysicalAccessControl

RiskMitigation

ISO 27005Risk Assessment

72008-03-31

ICT DR Service FrameworkICT DR Service Framework

82008-03-31

92008-03-31

BCM is an integral part of a holistic risk management process that safeguards the interests of an organization’s key stakeholders, reputation, brand and value creating activities through: identifying potential threats that may cause adverse

impacts on an organization’s business operations, and associated risks;

providing a framework for building resilience for business operations;

providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.

102008-03-31

5. ICT disaster recovery5. ICT disaster recovery

5.1 General

5.2 Environmental stability

5.3 Asset management

5.4 Proximity of site

5.5 Vendor management

5.6 Outsourcing arrangements

112008-03-31

5. ICT disaster recovery5. ICT disaster recovery

5.7 Information security

5.8 Activation and deactivation of DRP

5.9 Training and education

5.10 Testing on ICT systems

5.11 BC planning for ICT DR service providers

5.12 Documentation and periodic review

122008-03-31

6. ICT disaster recovery 6. ICT disaster recovery facilitiesfacilities 6.1 General

6.2 Location of DR sites

6.3 Physical access controls

6.4 Physical facility security

6.5 Dedicated areas

6.6 Environmental controls

6.7 Telecommunications

6.8 Power supply

132008-03-31

6. ICT disaster recovery 6. ICT disaster recovery facilitiesfacilities 6.9 Cable management

6.10 Fire protection

6.11 Emergency operations center (EOC)

6.12 Restricted facilities

6.13 Non-recovery amenities

6.14 Physical facilities and support equipment life cycle

6.15 Testing

142008-03-31

7. Outsourced service provider’s 7. Outsourced service provider’s capabilitycapability

7.1 General

7.2 Review organization disaster recovery status

7.3 Facilities requirements

7.4 Expertise

7.5 Logical access control

7.6 ICT equipment and operation readiness

7.7 Simultaneous recovery support

7.8 Levels of service

152008-03-31

7. Outsourced service provider’s 7. Outsourced service provider’s capabilitycapability

7.9 Types of services

7.10 Proximity of services

7.11 Subscription ratio for shared services

7.12 Activation of subscribed services

7.13 Organization testing

7.14 Changes in capability

7.15 Emergency response plan

7.16 Self assessment

162008-03-31

8. Selection of recovery sites8. Selection of recovery sites

8.1 General

8.2 Infrastructure

8.3 Skilled manpower and support

8.4 Critical mass of vendors and suppliers

8.5 Local service providers’ track records

8.6 Proactive local support

172008-03-31

9. Continuous improvement9. Continuous improvement

9.1 General

9.2 ICT DR trends

9.3 Performance measurement

9.4 Scalability

9.5 Risk mitigation

182008-03-31

Policies and procedures Policies and procedures

Telecommunications

Power supply

Computer and related equipment

Software

Recovery sites and facilities

Storage space for vital records and supplies

Work area recovery

Staff providing direct recovery support

Non-recovery amenities

Thank YouThank You呂敏誠 Louis Lu Louis.lu@sgs.com