Paul Kirvan, CISA, CSSP, FBCI, CBCP, board member of the Business Continuity Institute’s (BCI) U.S. chapter, discusses how ISO 24762 addresses outsourced IT disaster recovery services with SearchDisasterRecovery.com Assistant Editor John Hilliard. Listen to our latest podcast or read the transcript below.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Talk a little bit about what’s in ISO 24762, which deals with IT disaster recovery.
ISO 24762 was created to define what third-party organizations should be offering in terms of IT disaster recovery services. The standard serves as a framework for companies like hot site firms, cold site firms, managed services firms, collocation service providers, and alternate work space providers. It covers a broad range of issues vendors should address to ensure their service offerings are protected. These include building construction, security measures, provision of infrastructure services such as power, water and telecommunications, and environmental controls.
By contrast, there’s another ISO standard, ISO 27031, which focuses on end-user IT disaster recovery. A comparison of the two standards shows that ISO 24762 has a more detailed focus on the technology issues a DR vendor should be addressing. ISO 27031 is more of a high-level framework that describes the IT DR activities that should be included as part of an enterprise-level business continuity program.
Going back to ISO 24762, we note that by following the guidelines in the standard, vendors can attest to their customers and potential customers that their programs are consistent with international standards. ISO 24762 also recommends that vendors have their own disaster recovery plans. This is very important for vendors, as it can help them assure their customers that the backup and recovery resources their customers are using will be protected from unplanned disruptions.
Since this standard outlines how to start, run and maintain DR services and facilities, how closely do most organizations follow this? Are most up to speed, or is this one area that lags in IT circles?
I’d say that most disaster recovery vendors—in this country especially—are probably unaware of ISO 24762. Now is that a bad thing? Not really, because as I look over the technical and planning requirements in the standard I can tell you that most vendors who provide disaster recovery services in this country are usually very good at complying with the standard’s framework, even if they are unaware of the standard itself.
A more likely IT DR standard vendors in this country will follow is the National Institute of Standards and Technology’s (NIST) Special Publication 800-34, which provides a very practical and easy-to-use resource for IT disaster recovery planning.
Can your typical SMB make use of this standard, or is the complexity really for enterprise-level organizations?
Organizations of most any size can use the standard as a sort of mini-checklist for evaluating potential disaster recovery vendors. Simply using the table of contents as a starting point, for example, prospective customers can take most of the items and frame them as questions. One of the important questions, in this light, is the one about whether vendors have their own DR and business continuity plans.
Let me add another spin in this question. While the standard is designed for vendors and service providers, it can also be used by organizations that perform much of their own in-house DR planning, design and recovery activities. They can use the standard as a checklist to ensure they are addressing all the issues to protect their IT assets. They can also use the standard as a starting point to help build an IT disaster recovery plan.
How do you audit your organization’s DR functions? And following along the lines of the earlier question, do most organizations bother to audit their DR, or follow through with any recommendations from the auditor?
The IT disaster recovery audit process usually begins with the existence of a disaster recovery plan. (If the plan doesn’t exist, there may be other things to audit, such as user-developed or vendor-supplied recovery procedures for specific critical systems and networks.) Assuming a plan is present, it should focus on recovering critical IT systems and services that directly support critical business functions. The critical business functions are usually identified using a business impact analysis, or BIA. Potential risks, threats and vulnerabilities to these critical functions are determined with a risk assessment.
The plan should have a clear series of steps to 1) recognize an incident when it occurs; 2) begin responding to the incident; 3) initiate recovery of critical system that were affected by the incident; and 4) restore normal business operations following recovery of critical IT systems. Each of these steps carries with it a set of auditable activities.
If an organization exercises its IT DR plans once a year, that’s pretty good. Many do not have a formal schedule for exercising, and that often means there will be no exercises at all, which is not a good thing. By contrast, exercising is a required activity for firms that are scrutinized by regulators, such as in the banking and energy industries, or which face annual IT audits from either internal or external auditors.
If IT DR plans are audited, and the auditor issues findings and recommendations in his or her report, the IT department is usually obligated to respond with an action plan—with specific dates—to satisfy the auditors.
What should a DR service offer to provide a secure recovery site and help an organization recover?
The nature of IT disaster recovery has been changing, especially with the advent of virtualization technologies. A data backup and recovery assets no longer need to be physically located at a distant storage and recovery site.
For example, a backup data storage arrangement using virtualization technologies, such as a managed data backup service using cloud-based technology, can provide a secure data repository without the need for a physical storage location. If, however, it still makes sense to have a physical (e.g., bricks and mortar) backup storage location, the remote facility does not have to be an exact duplicate of the primary site.
When considering data criticality, two major factors to be addressed are the organization’s recovery time objectives (RTO) and recovery point objectives (RPO). Depending on the RTO and RTO, data can be replicated in real-time to an external data recovery center via data mirroring technologies, or it can be mirrored to a virtual data storage facility. Or, it can be saved to high-capacity disk storage or even tape.
A good way to determine if a disaster recovery vendor has sufficiently robust and secure facilities is to use ISO 24762, once again, as a checklist to see if the vendor has truly covered all the bases. One effective way to ensure that the third-party recovery firm can effectively support a recovery is to include that firm in all DR exercises, especially since the DR firm will probably be a key player in the organization’s recovery. Most good DR vendors will include at least one annual exercise as part of its fees. Be sure to take advantage of it.