ISO/IEC 27031 Information technology

ISO/IEC 27031 Information technology -- Security techniques -- ICT readiness for business continuity (draft, title uncertain)

This new business continuity standard may be based on a Singaporean BC/DR standard SS507 (see below) and may incorporate parts of British Standard BS25999. Published July 18, updated Aug 16 If you are interested, Part 2 of BS25999 is currently freely available in draft for comments prior to its formal publication but hurry - comments were due at the end of July 2007 and final release must be imminent.

SS507 - Singapore Standards for Business Continuity/Disaster Recovery (BC/DR) Service Providers

SS507:2004 “Provides a basis to certify and differentiate the BC/DR service providers, helps the end-user organisations in selecting the best-fit service providers and provides quality assurance. Also establishes industry best practices to mitigate outsourcing risks.”

“Singapore [was] the first country in the world to introduce a Standard and Certification programme for BC/DR service providers. Developed by the Infocomm Development Authority of Singapore and the IT Standards Committee (ITSC), the Standard specifies the stringent requirements for BC/DR service providers. These requirements benchmark against the top practices in the region and stipulate the operating, monitoring and up-keeping of BC/DR services offered. ... By engaging a certified BC/DR service provider, assurance is provided to the end-user and frees the company to focus on its core competencies. This enhances the company’s competitive advantage as it is able to achieve stringent Recovery Time Objective, minimise business and data loss; and enjoy uninterrupted services. The certification also serves as a quality mark to inspire service providers to upgrade themselves to provide better services.”

Read a press release about SS507 and purchase a copy here.

0. Introduction

The ICT DR Services Model or Framework - showing the foundation layer to define supporting infrastructure from which services are derived, such as policies, processes, programme, performance measurement, people and products.

1. Scope

Describes the purpose of this standard, assumptions made when using this standard and what is excluded. Introduces subsequent clauses and explains their interpretation

2. Definitions

Defines terms used within the standard to establish a common understanding by the readers.

3. General Guidelines

Basic guidelines for the ICT DR services provision:

3.1 Environmental stability

3.2 Asset management

3.3 Proximity of services

3.4 Subscription (contention) ratio for shared services

3.5 Third party vendor management

3.6 Outsourcing arrangements

3.7 Privacy and confidentiality

3.8 Activation of subscribed services

4. Disaster Recovery Facilities

Specific guidelines for the ICT DR services provision to provide a secure physical operating environment to facilitate recovery:

4.1 Physical access control

4.2 Physical facilities and security

4.3 Environmental controls

4.4 Telecommunications

4.5 Power supply

4.6 Cable management

4.7 Fire protection

4.8 Location of recovery site

4.9 Emergency operations centre

4.10 Restricted facilities

4.11 Physical facilities and equipment lifecycle

4.12 Non recovery amenities

4.13 Testing

4.14 Training and education

5. Recovery Services Capability

Specific guidelines for the ICT DR services provision to develop service delivery capability supporting recovery. Besides qualified staffing, other minimum capabilities include capacity to support simultaneous invocation of disasters:

5.1 Expertise

5.2 Logical access controls

5.3 Equipment and operation readiness

5.4 Simultaneous recovery support

5.5 Levels of service

5.6 Types of service

5.7 Client testing

5.8 Changes in capability

5.9 Emergency response plan

5.10 Self-assessment

5.11 Disaster recovery training and education

6. Guidelines for Selection of Recovery Sites

Provides guidelines on the factors to consider when selecting recovery sites, such as:

6.1 Infrastructure

6.2 Skilled manpower and support

6.3 Critical mass of vendors and suppliers

6.4 Local service providers’ track records

6.5 Proactive local support

7. Additional Guidelines for the Professional ICT DR Service Provider

Additional guidelines for professional service providers in the provision of ICT DR services.

From : iso27001security.com