ISO/IEC 24762:2008

INTERNATIONAL ISO/IEC
STANDARD 24762
First edition
2008-02-01
Information technology — Security
techniques — Guidelines for information
and communications technology disaster
recovery services
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour les services de secours en cas de catastrophe dans les
technologies de l'information et des communications

Reference number
©
ISO/IEC 2008
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2008
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2008 – All rights reserved

Contents Page
Foreword. v
0 Introduction . vi
0.1 General. vi
0.2 Structure . vi
0.3 Framework. vii
0.4 Interpretation of clauses . viii
1 Scope . 1
1.1 General. 1
1.2 Exclusions . 1
1.3 Audience. 1
2 Normative references . 2
3 Terms and definitions. 2
4 Abbreviated terms . 3
5 ICT disaster recovery . 3
5.1 General. 3
5.2 Environmental stability . 4
5.3 Asset management. 4
5.4 Proximity of site . 5
5.5 Vendor management . 5
5.6 Outsourcing arrangements. 7
5.7 Information security . 8
5.8 Activation and deactivation of disaster recovery plan . 9
5.9 Training and education . 11
5.10 Testing on ICT systems. 12
5.11 Business continuity planning for ICT DR service providers. 12
5.12 Documentation and periodic review. 14
6 ICT disaster recovery facilities. 14
6.1 General. 14
6.2 Location of recovery sites . 14
6.3 Physical access controls . 16
6.4 Physical facility security . 19
6.5 Dedicated areas . 24
6.6 Environmental controls. 25
6.7 Telecommunications . 26
6.8 Power supply. 27
6.9 Cable management. 29
6.10 Fire protection. 30
6.11 Emergency operations center (EOC). 32
6.12 Restricted facilities. 34
6.13 Non-recovery amenities . 37
6.14 Physical facilities and support equipment life cycle . 38
6.15 Testing . 40
7 Outsourced service provider’s capability .41
7.1 General. 41
7.2 Review organization disaster recovery status . 41
7.3 Facilities requirements. 43
7.4 Expertise. 43
7.5 Logical access control . 45
© ISO/IEC 2008 – All rights reserved iii

7.6 ICT equipment and operation readiness . 47
7.7 Simultaneous recovery support . 49
7.8 Levels of service . 50
7.9 Types of service . 50
7.10 Proximity of services . 51
7.11 Subscription ratio for shared services . 52
7.12 Activation of subscribed services. 52
7.13 Organization testing . 53
7.14 Changes in capability . 53
7.15 Emergency response plan . 54
7.16 Self assessment . 57
8 Selection of recovery sites. 58
8.1 General . 58
8.2 Infrastructure. 59
8.3 Skilled manpower and support. 59
8.4 Critical mass of vendors and suppliers. 59
8.5 Local service providers’ track records . 59
8.6 Proactive local support . 60
9 Continuous Improvement. 60
9.1 General . 60
9.2 ICT DR trends . 60
9.3 Performance measurement. 61
9.4 Scalability. 62
9.5 Risk mitigation. 62
Annex A (informative) Correspondence between ISO/IEC 27002:2005 and this International
Standard. 64
Bibliography . 67

iv © ISO/IEC 2008 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 24762 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2008 – All rights reserved v

0 Introduction
0.1 General
This International Standard is aimed at aiding the operation of an Information Security Management System
(ISMS) by providing guidance on the provision of information and communications technology disaster
recovery (ICT DR) services as part of business continuity management.
Information security management is the process by which management aims to achieve effective
confidentiality, integrity and availability of information and service. When an organization implements an ISMS
the risks of interruptions to business activities for any reason should always be identified.
ISO/IEC 27001 and ISO/IEC 27002 include a control objective for information security aspects of business
continuity management (refer to Control Objective 14.1 in ISO/IEC 27002:2005), the implementation of which
will reduce those risks. That control objective is supported by controls to be selected and implemented as part
of the ISMS process.
Business continuity management is an integral part of a holistic risk management process that safeguards the
interests of an organization’s key stakeholders, reputation, brand and value creating activities through:
identifying potential threats that may cause adverse impacts on an organization’s business operations, and
associated risks;
providing a framework for building resilience for business operations;
providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and
failures.
In planning for business continuity, the fallback arrangements for information processing and communication
facilities become beneficial during periods of minor outages and essential for ensuring information and service
availability during a disaster or failure for the (complete) recovery of activities over a period of time. Such
fallback arrangements may include arrangements with third parties in the form of reciprocal agreements, or
commercial subscription services.
0.2 Structure
This International Standard provides guidelines for the ICT DR services, which include both those provided in-
house and outsourced. It covers facilities and services capability and provides fallback and recovery support
to an organization’s ICT systems. It includes the implementation, testing and execution aspects of disaster
recovery. It does not include other aspects of business continuity management.
The guidelines are applicable to both “in-house” and “outsourced” ICT DR service providers of physical
facilities and services in varying degrees. ICT DR service providers should interpret the intent of these
guidelines within the context of the services they offer.
These guidelines include the requirements for implementing, operating, monitoring and maintaining ICT DR
services, divided into two areas:
a) ICT disaster recovery (Clause 5); and
b) ICT disaster recovery facilities (Clause 6).
vi © ISO/IEC 2008 – All rights reserved

Clause 7, “outsourced service provider’s capability”, specifies the capabilities which outsourced ICT DR
service providers should possess, and the practices they should follow, for them to be able to provide basic
secure operating environments and facilitate organizations’ recovery efforts. The capabilities required are
specified in terms of the infrastructure and services needed to enable organizations to implement and execute
their ICT DR plans. (It should be noted that although this clause is targeted at outsourced service providers,
the guidelines it contains are also recommended for adoption by service providers in general.)
Clause 8, “selection of recovery sites”, provides guidance for:
a) organizations that are in the process of selecting an external recovery site as part of their ICT DR
practices;
b) ICT DR service providers who are in the process of building (additional) recovery sites to expand their
operations.
Factors such as environmental stability, good infrastructure and availability of skilled manpower locally, may
provide a favourable environment for the operation of ICT DR recovery sites. Further, the presence of other
ICT DR service providers and their suppliers may create a critical mass for a vibrant local industry. The track
record of key players is another indicator of the maturity and vibrancy of the local ICT DR industry. Where
applicable, proactive support of the local authority may also contribute to the growth and expansion of this
industry.
Clause 9, “continuous improvement”, provides guidance for ICT DR service providers on ensuring continuous
improvement to their ICT DR services through a set of practices. These practices can enable service
providers to continuously maintain and improve the level of their services and thus provide an additional level
of assurance to organizations engaging these services.
0.3 Framework
0.3.1 ICT DR service provision framework
This International Standard is based on a multi-tier framework comprising different elements in the ICT DR
services provision, as illustrated in Figure 1. The “foundation” layer comprises the important aspects of ICT
DR services, namely Policies, Performance Measurement, Processes and People. This layer helps to define
the supporting infrastructure and services capability. The “continuous improvement” layer highlights practices
that help to improve ICT DR activities in specific areas, and represents an added level of provision to the
services provided. Thus the guidelines in this International Standard are drawn from a composite view of
these layers, and with a balance between cost effectiveness and standard rigor considerations.
ICT DR Framework
Policies
Effective Provision of
Organization’s
ICT DR Services in
ICT DR
Performance Services
Support of
Requirements
Measurement
Organization’s
Infrastructure Capability
Business Continuity
Management
Processes
People
Continuous Improvement
Figure 1 ― ICT DR service provision framework
© ISO/IEC 2008 – All rights reserved vii

0.3.2 Policies
“Policies” enable ICT DR service providers to set the direction on the other, related, areas of their ICT DR
services, and also enable clear communication to the relevant parties on the requirements that can be met by
ICT DR service provider facilities.
The “Policies” aspect is elaborated on in clauses 5 to 9 of this International Standard. An established policy is
usually expressed as “the system should include the following policies …” or “there should be documented
policies and procedures …”.
0.3.3 Performance measurement
“Performance Measurement” enables ICT DR service providers to review and improve their services, and at
the same time provides a means for service providers to demonstrate that their services meet organization
requirements. This will in turn help to promote the ICT DR industry service level as a whole.
The “Performance Measurement” aspect is elaborated on in clause 9.3 of this International Standard, which
explains the need for measuring the performance of ICT DR services and illustrates some examples of
measurement metrics that service providers can select.”
0.3.4 Processes
“Processes” ensures that a consistent approach will be adopted in the other areas of ICT DR services, making
possible the continuous maintenance of service levels and the ease of training of ICT DR personnel.
The “Processes” aspect is elaborated on in clauses 5 to 9 of this International Standard. An established
process is usually expressed as “… according to appropriate established procedures”, “establish a set of
procedures to ensure …”, or “there should be documented policies and procedures …”.
0.3.5 People
“People”, relates to the pool of skilled and knowledgeable service provider, organization and as relevant, third
party personnel needed to help operate, uphold and maintain ICT DR practices. Further, the safety and
welfare of personnel is also one of the aspects ICT DR service providers will need to take care of.
The “People” aspect is elaborated in various clauses of this International Standard. Clause 5.9 covers the
general training and education guidelines, and clause 7.4 elaborates on the need for service provider
management expertise. Clauses 6.10 and part of 6.12 cover personnel health and safety, and clause 6.13
provides guidance on personnel welfare aspects.
0.4 Interpretation of clauses
0.4.1 Statements on capability expectations
Statements on capability expectations typically contain the phrase – “ … service providers should be capable
of providing organizations with … " – meaning that service providers should possess certain capabilities. Such
capabilities could be a latent potential that can be swiftly activated by service providers if there is organization
demand. For example, additional resources could be readily channelled from another unit (e.g. from
elsewhere in the region or country, or from overseas) in response to an organization requirement. Obviously
the actual provision of a particular stated capability to any organization would be subject to contract
negotiations between service provider and organization.
0.4.2 Supplementary requests by organizations
Certain statements in this International Standard can lead organizations to making supplementary requests to
service providers based on their specific ICT DR requirements. Such requests will be subject to further
negotiations between service providers and organizations and not within the purview of this International
Standard. For example, organizations may request audits of their service providers. The latter may levy fees
for such requests.
viii © ISO/IEC 2008 – All rights reserved

0.4.3 Service level agreement (SLA)/Service level commitment (SLC)
Certain subjects raised in this International Standard can be SLA/SLC issues. However, they do not dictate
the content of the SLA/SLC between service providers and organizations. The subjects raised are intended to
build common understanding and expectation between service providers and organizations. In particular they
serve to draw organizations’ attention to the typical items that could be included in SLA/SLC negotiations.

© ISO/IEC 2008 – All rights reserved ix

INTERNATIONAL STANDARD ISO/IEC 24762:2008(E)

Information technology — Security techniques — Guidelines for
information and communications technology disaster recovery
services
1 Scope
1.1 General
This International Standard describes the basic practices which ICT DR service providers, both in-house and
outsourced, should consider.
It covers the requirements that service providers should meet, recognizing that individual organizations may
have additional requirements that are specific to them (which would have to be addressed in the
agreements/contracts with service providers). Examples of such organization requirements may include
special encryption software and secured operation procedures, equipment, knowledgeable personnel and
application documentation. Such additional organization specific requirements, if necessary, are generally
negotiated on a case-by-case basis and are the subject of detailed contract negotiations between
organizations and their ICT DR service providers and are not within the scope of this International Standard.
1.2 Exclusions
This International Standard does not:
a) provide any guidance on business continuity management as a whole for organizations;
b) take precedence over any laws and regulations, both existing and those in the future;
c) have any legal power over the Service Level Agreements (SLAs) included in negotiated contracts
between organizations and service providers;
d) address requirements, legal or otherwise, governing normal business operations to be adhered to by
service providers. Examples of such requirements include detailed regulations covering building and fire
safety, occupational health and safety, copyright regulation and prevailing human resource practices;
e) provide an exhaustive list, and thus technical security controls are not covered. Readers should refer to
ISO/IEC 27001 and ISO/IEC 27002, vendor literature and other technical references, as necessary.
1.3 Audience
This International Standard applies to:
a) all organizations requiring the ICT DR services as part of their business (whether in-house and/or
outsourced);
b) ICT DR service providers in their provision of ICT DR services;
c) communities of organizations with reciprocal or mutual arrangements.
© ISO/IEC 2008 – All rights reserved 1

2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27002:2005, Information technology — Security techniques — Code of practice for information
security management
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
computing and related equipment
computer, network, telecommunications and peripheral equipment that support the information processing
activities of organizations
3.2
ICT systems
hardware, software and firmware of computers, telecommunications and network equipment or other
electronic information handling systems and associated equipment
NOTE ICT systems include any equipment or interconnected systems or subsystems of equipment that are used in
the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or
reception of data/information.
3.3
information security
preservation of confidentiality, integrity and availability of information
NOTE 1 In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be
involved.
NOTE 2 Adapted from ISO/IEC 27002:2005.
3.4
infrastructure
facilities and equipments to enable the ICT DR services, including but not limited to power supply,
telecommunications connections and environmental controls
3.5
organizations
entities which utilize ICT DR services
3.6
outsourced service providers
external service providers of ICT DR services
3.7
service providers
in-house teams or external parties providing ICT DR services to organizations
2 © ISO/IEC 2008 – All rights reserved

3.8
service level agreement
written agreement between a service provider and an organization that documents services and agreed
service levels
NOTE In the case of outsourced service providers, the service level agreement is a written contractually binding
agreement
3.9
service level commitment
commitment from a service provider (usually an internal service provider) to an organization that defines
services and agreed service levels
4 Abbreviated terms
DBA Data Base Administrator
EMF Electro Magnetic Field
ICT DR Information and Communications Technology Disaster Recovery
MDF Main Distribution Frame
PDA Personal Digital Assistant
SLA Service Level Agreement
SLC Service Level Commitment
UPS Uninterruptible Power Supply
USB Universal Serial Bus
VFI Voltage and Frequency Independent
WAR Work Area Recovery
5 ICT disaster recovery
5.1 General
ICT DR service provision, irrespective of whether it is provided in-house or outsourced, should follow best
practice guidelines as outlined in the following clauses. If the guidelines are followed there will be assurance
that ICT DR services have been implemented after due consideration of unforeseen events that could affect
the ability to fulfil service obligations, and related risk mitigation via prior arrangements with other service
providers in the industry.
It should be noted that:
a) these guidelines will be applicable to ICT DR service providers (of physical facilities and services) in
varying degrees. ICT DR service providers should interpret the intent of the guidelines in the context of
the particular facilities and services they offer or intend to offer;
b) the issue of site proximity should be taken into consideration when ICT DR service providers contract and
agree SLAs with organizations.
© ISO/IEC 2008 – All rights reserved 3

5.2 Environmental stability
Environmental stability is important for the direct operation of a recovery center as well as personnel travel,
safety and welfare. The utilities required for the operation of a recovery center, such as power supply and
telecommunications, can be affected by environmental instability. Personnel travel and safety to/from a
recovery center can be affected by disruption to the transportation system. Personnel welfare and social
activities after work can also be limited by an unsafe external environment. The frequent occurrence on a
large scale of the following type of activities would indicate underlying environmental instability:
a) strikes;
b) demonstrations;
c) riots;
d) violent crimes;
e) natural disasters;
f) pandemics;
g) deliberate attacks, e.g. terrorist bombing, biological attacks.
5.3 Asset management
5.3.1 General
Service providers should ensure that assets placed in their ICT DR premises are capable of being uniquely
identified, located and retrieved in a timely manner when required by organizations. In addition to computing
and related equipment, assets include: application software, vital records stored on media (magnetic or
otherwise), and necessary operational documentation placed in service providers’ operational premises to
facilitate recovery from disasters and failures.
5.3.2 Organization ownership rights and privileges
Service providers should explicitly document and maintain the listing of assets that are in their ICT DR
premises. In the case of outsourced service providers, the asset list should be included in service contracts
with appropriate clauses inserted to identify their ownership rights and privileges.
5.3.3 Asset protection
For all assets located in their ICT DR premises, service providers should ensure that:
a) a list of the assets is maintained [this could be through use of a configuration management “system” and
associated processes that maintain details of current versions of documentation, software, and all other
assets (ISO/IEC 20000 provides guidance on establishing configuration management)];
b) all assets are tagged/marked in a manner that uniquely identifies ownership;
c) in the case of outsourced ICT DR service provision, organizations and outsourced service providers do
not display explicit organization names in the asset tagging/marking to ensure that security is not
compromised. For example, equipment mounted on shared racks should not have explicit organization
names as part of the tag/mark.
4 © ISO/IEC 2008 – All rights reserved

1)
Service providers should establish “systems” to protect, maintain, locate, retrieve and return all organization
tagged/marked assets located at their premises, and ensure that organization ICT DR assets are:
a) located and kept in safe environments;
b) maintained in good operating conditions, with the installation of appropriate environmental controls;
c) not used or redeployed for other than contracted purposes;
and that the location of organizations’ ICT DR assets is accurately tracked for retrieval.
In the case of outsourced ICT DR service provision, outsourced service providers should ensure that:
a) organizations are informed when their assets are being relocated;
b) organizations’ assets are retrieved and returned within a predetermined and agreed timeframe when
requested by organizations;
c) organizations are forewarned and their assets returned to them according to appropriate established and
agreed procedures before the onset of any seizure or stoppages.
Organizations should consider the implications of disaster recovery data and other assets being stored across
national boundaries, and ensure that compliance is maintained with all relevant legal and regulatory
requirements.
5.3.4 Availability of documentation
Service providers (if required by their SLAs) and organizations should maintain duplicate copies of plans,
disaster/failure procedures and other essential information for managing disasters and failures, including
details of how to contact staff and of access points for emergency services. Such duplicate plans, procedures
and other essential information should be kept off site at easily accessible locations.
5.4 Proximity of site
DR sites should be in geographic areas that are unlikely to be affected by the same disaster/failure events as
organizations’ primary sites. The issue of site proximity and associated risks should be taken into
consideration when ICT DR service providers contract and agree SLAs with organizations.
5.5 Vendor management
5.5.1 General
Service providers should assess the relevant risks and then take adequate steps to ensure that critical
equipment and services can be provided by their vendors within predetermined and agreed timeframes. Such
vendors could include original equipment manufacturers and/or suppliers.
The following guidelines are applicable only to equipment supplied by service providers. Organizations that
place their equipment in a recovery site should make their own arrangements with their equipment vendors or
suppliers.
1) “Systems” are composed of integrated and interacting components of processes, resources and implementation
elements (such as technical implementation of controls or practices) to achieve their stated purpose.
© ISO/IEC 2008 – All rights reserved 5

5.5.2 Critical equipment support
Service providers should establish procedures to ensure dedicated support of critical equipment from their
vendors, e.g. procedures to ensure replacement and delivery of critical ICT components within a predefined
and agreed time.
5.5.3 Procurement system
Service providers should ensure that a procurement “system” is established to govern the supply of equipment,
both new purchases and replacement. The “system” should encompass the following:
a) delivery modes and lead time of equipment and spares;
b) warranty period in case of any emerging defects;
c) associated support offered in terms of installation, commission and training, as appropriate;
d) for each critical ICT component, the provision of additional information, including:
1) description – name, device number and date purchased;
2) manufacturers;
3) suppliers;
4) availability;
5) delivery and installation time.
5.5.4 Equipment supplied by third-parties
Service providers should ensure that, as equipment may be supplied by third-party vendors on a rental or
lease basis, the contractual agreements with these vendors includes the following provisions:
a) repair and replacement of faulty parts in the event of equipment malfunction;
b) identification of equipment not covered by insurance;
c) terms and conditions for withdrawal of rental equipment by suppliers.
5.5.5 Staff supplied by third-parties
Service providers should establish procedures to ensure the quality and integrity of vendor staff directly
involved in the support of their recovery services. This should encompass personnel supplied by vendors to:
a) maintain and repair facilities and equipment, both on site and off site;
b) provide permanent support to services at the service provider premises, as contracted staff to service
providers. The contracts should encompass the:
1) provision of replacements within predetermined and agreed times if the supplied contract staff are
not available or unable to perform the assigned ICT DR tasks;
2) confirmation of any required security clearances of these contract staff.
6 © ISO/IEC 2008 – All rights reserved

5.6 Outsourcing arrangements
5.6.1 General
Service providers could make outsourcing arrangements with their vendors on a temporary or permanent
basis. Unlike with third-party vendor management relating to equipment and services supplied by vendors,
service providers may have a lesser degree of control in any outsourcing arrangement. Thus, greater
emphasis should be placed on the selection and management of outsourced vendors. This includes ensuring
vendor awareness of the peculiarity of service provider business needs, more stringent contractual
agreements, more thorough periodic review of outsourced arrangements, and close review of vendor security
controls and the quality of vendor staff.
Such outsourcing arrangements should not affect the ability of service providers to fulfil their services to
organizations. In addition, the primary service responsibility still lies with service providers and cannot be
transferred to these outsourced parties.
5.6.2 Vendor awareness
Service providers should ensure that all external parties involved in outsourcing, including subcontractors, are
made aware of their responsibilities and liabilities in support of service provider services, e.g. periodic
briefings should be held for all outsourced vendors.
5.6.3 Contractual agreement
Service providers should ensure that the responsibilities and liabilities of outsourced vendors, including their
subcontractors, are spelt out formally in contractual agreements, e.g. outsourced vendors should replenish
supplies within a predetermined and agreed period of time.
5.6.4 Periodic review
Service providers should review the risks of outsourcing to vendors at least once a year. The reviews should
examine the following concerns:
a) financial health and viability of the vendors;
b) new avenues for alternate supplies.
5.6.5 Vendor security controls
Service providers should ensure that the same level of physical, logical and other security controls are
adopted by all parties involved in outsourcing arrangements, to restrict, limit and protect access to service
provider outsourced functions. This should encompass all associated equipment, computer hardware and
software, and facilities.
Service providers should also ensure that they regularly audit all physical, logical and other relevant security
controls put in place by outsourced parties.
5.6.6 Quality of vendor staff
Service providers should ensure that their outsourced vendors have formal policies and procedures in place in
relation to the hire of staff to provide services. These policies and procedures should be included as part of
contractual agreements with outsourced vendors, and include the required:
a) staff qualifications and experience;
b) security clearance(s) of vendor staff, as appropriate;
© ISO/IEC 2008 – All rights reserved 7

c) policies on such as ethics, behaviour, sexual or racial harassment;
d) policies and procedures on performance monitoring;
e) policies and procedures on replacement of staff.
5.7 Information security
5.7.1 General
Service providers should ensure that organizations’ information security is not compromised, and in doing so
may need to invest in additional resources to segregate and maintain organizations’ information security.
Service providers should communicate the physical, logical and other relevant security arrangements
(including for information security incident (and weakness) management) to organizations, and agree with
organizations the applicability of the security arrangements were a disaster plan to be activated. The DR
facilities and equipment should be assessed to be sure that they meet the protection requirements of
organizations.
Service providers should consider adopting ISO/IEC 27001 and ISO/IEC 27002 to ensure that relevant
security requirements will be met.
5.7.2 Isolation of ICT systems
Service providers should ensure that information from one organization’s ICT system is not accessible or
made known to another organization’s ICT system, unless authorised. Service providers should establish a
means to identify and physically and logically isolate the different ICT systems which are located in their
premises, and are:
a) supported and maintained by different external vendors;
b) subscribed to by different organizations.
5.7.3 Personnel restriction and segregation
Service providers should establish a means to identify and segregate different personnel at their recovery
facilities from access to ICT systems and information, based on the need, to ensure that:
a) there are restrictions on physical access to facilities housing ICT systems. For example, ICT systems with
different protection requirements should be located in separate buildings or areas/rooms to enable
physical access control to be properly implemented;
...