ISO/IEC 24762: Guidelines for information and communications technology disaster recovery services

ISO/IEC 24762:2008 is an international standard titled "Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services." It provides a framework for planning, implementing, and maintaining ICT disaster recovery (DR) services to ensure critical systems can be recovered within defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). It is crucial to note that this standard was officially withdrawn and superseded by ISO/IEC 27031:2011, "Guidelines for information and communication technology readiness for business continuity (IRBC)." Despite its replacement, the foundational principles of ISO 24762 regarding facility selection, security controls, and backup strategies remain highly relevant for designing modern Disaster Recovery Centers (DRCs) and are a key technical component within an ISO 22301 Business Continuity Management System.

Applying the principles of ISO 24762 (now in ISO/IEC 27031) involves a structured approach. Step 1: Conduct a Business Impact Analysis (BIA) and risk assessment, as required by ISO 22301, to identify critical ICT systems and define their RTOs and RPOs. Step 2: Develop a DR strategy by selecting an appropriate solution, such as a hot site or cloud-based Disaster Recovery as a Service (DRaaS), based on BIA results. Step 3: Implement the solution and conduct regular DR drills to validate its effectiveness. A Taiwanese financial firm, for example, used these principles to reduce its core system RTO from over 24 hours to under 4 hours, achieving a 100% success rate in annual drills and passing regulatory audits.

Taiwanese enterprises face three key challenges. 1. High Costs: Building and maintaining a dedicated DR site is expensive. The solution is to adopt cloud-based DRaaS, which converts high capital expenditure (CAPEX) into manageable operational expenditure (OPEX). 2. Talent Shortage: There is a lack of professionals with hybrid expertise in IT, cybersecurity, and business continuity. This can be overcome by engaging expert consultants for the initial setup and training internal teams through regular drills. 3. Regulatory Complexity: Industries like finance must comply with strict local regulations from the Financial Supervisory Commission (FSC) on data residency and outsourcing. A priority action is to conduct a regulatory gap analysis to ensure the DR solution is fully compliant.

Winners Consulting specializes in ISO 24762 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact