ISO 24762 for IT Disaster Recovery

Fires, earthquakes, and pandemics, as well as, terrorism and piracy, may cause organizations to become disaster victims at any time. A new standard, ISO 24762, will help businesses deal with the unexpected and safeguard their reputation, brand, and value-creating activities.

ISO 24762:2008, Information Technology – Security Techniques – Guidelines for Information and Communications Technology Disaster Recovery Services, as the title indicates, offers guidance on the information and communications technologies and services necessary for disaster recovery as part of business continuity management. With this guidance, ISO 24762 supports the operation of an information security management system by addressing the information security and availability aspects of business continuity management in time of crisis.

A business continuity plan includes an organization’s strategies to prepare for future national, regional, or local crises that could jeopardize its capacity to continue with its core mission, as well, as its long term stability.

According to ISO 24762, business continuity management is an integral part of any holistic risk management process and involves:

  • identifying potential threats that may cause adverse impacts to business operations and associated risks
  • providing a framework for building resilience for business operations
  • providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures

With ISO 24762, organizations will be able to build resilience into their information and communications technology infrastructure critical to their key business activities. This will complement their Business Continuity Management initiative (to better manage relevant risks possibly interrupting their business activities) and their Information Security Management initiative (to effectively protect the confidentiality, integrity, and availability of information).

The fallback arrangements included in the standard will help out during periods of minor outages and, more importantly, will play an essential role in ensuring information and service availability during a disaster or failure, and for a long-term complete recovery of activities.

The standard includes guidelines on the implementation, testing, and execution aspects of disaster recovery, and can be applicable to both “in-house” and “outsourced” providers of physical facilities and services.

ISO 24762 is complemented by two other standards providing control objectives for information security aspects of business continuity management to further reduce risk:

  • ISO 27001:2005, Information Technology – Security Techniques – Information Security Management Systems – Requirements, and
  • ISO 27002:2005, Information Technology – Security Techniques – Code of Practice for Information Security Management.