ISO/IEC 24762 Guidelines for information and communications technology disaster recovery services

ISO/IEC 24762:2008 is an international standard titled 'Guidelines for information and communications technology disaster recovery services'. It provides a comprehensive framework for organizations to plan, implement, and manage ICT disaster recovery (DR) services. The standard covers critical aspects such as DR site selection, infrastructure requirements, data replication, testing, and service level agreements (SLAs). Within an enterprise risk management context, it serves as a technical foundation for a broader Business Continuity Management System (BCMS), as outlined in ISO 22301, by focusing specifically on the availability and integrity of IT systems. It is crucial to note that this standard has been officially withdrawn and superseded by ISO/IEC 27031:2011, 'Guidelines for ICT readiness for business continuity', which offers a more modern and integrated approach. However, the core principles of ISO 24762 remain influential in DR planning.

Although withdrawn, the principles of ISO 24762 are practically applied in building an enterprise's DR capabilities. The implementation involves three key steps: 1) **Analysis and Strategy**: Conduct a Business Impact Analysis (BIA) per ISO 22301 to identify critical ICT assets and define their Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Based on this, formulate a DR strategy, choosing from options like hot/warm/cold sites or modern Disaster Recovery as a Service (DRaaS). 2) **Solution Design and Implementation**: Use the standard's guidelines to design the DR facility, including physical security, network topology, and server/storage infrastructure. Implement robust data replication mechanisms between the primary and DR sites. 3) **Testing and Maintenance**: Regularly conduct DR drills to validate that RTO/RPO targets are met. For instance, financial institutions in Taiwan are required by regulators to perform annual DR tests. Measurable outcomes include achieving a DR test success rate of over 99%, ensuring compliance, and minimizing potential financial losses from downtime.

Taiwanese enterprises face several key challenges when implementing DR frameworks based on ISO 24762 or its successor, ISO/IEC 27031: 1) **High Costs**: The capital expenditure (CAPEX) and operational expenditure (OPEX) for building and maintaining a physical DR center are substantial, posing a significant barrier for SMEs. **Solution**: Adopt Disaster Recovery as a Service (DRaaS) on public clouds like AWS or Azure to convert CAPEX into predictable OPEX. 2) **Talent Shortage**: Effective DR planning requires professionals with hybrid expertise in IT infrastructure, cybersecurity, and business continuity, who are scarce in the market. **Solution**: Engage external consultants for initial setup and conduct targeted training to upskill internal teams. 3) **Outdated Standard Navigation**: Since ISO 24762 is withdrawn, organizations must align their practices with its successor, ISO/IEC 27031, and integrate modern technologies. **Solution**: Adopt an integrated management system approach, combining the guidelines of ISO/IEC 27031 with the requirements of ISO 22301 (BCMS) and ISO/IEC 27001 (ISMS) for a holistic and current framework.

Winners Consulting specializes in ISO 24762 for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact