SS 507-2015现行

This standard describes the basic practices which ICT DR service providers, both in-house and/or outsourced, should consider.\nIt covers the requirements that service providers shall meet, recognising that individual organisations may have additional requirements that are specific to them (which would have to be addressed in their agreements/contracts with service providers). Examples of such organisation requirements may include special encryption software and secured operation procedures, equipment, knowledgeable personnel and application documentation. Such additional organisation specific requirements, if necessary, are generally negotiated on a case-by-case basis and are the subject of detailed contract negotiations between organisations and their ICT DR service providers and are not within the scope of this standard.\nThis standard does not:\na) provide any requirements on business continuity management as a whole for organisations;\nb) take precedence over any laws and regulations, both existing and those in the future;\nc) have any legal power over the SLAs included in negotiated contracts between user organisations and service providers;\nd) address requirements, legal or otherwise, governing normal business operations to be adhered to by service providers. Examples of such requirements include detailed regulations covering building and fire safety, occupational health and safety, copyright regulation and prevailing human resource practices;\ne) provide an exhaustive list, and thus technical security controls are not covered. Readers shall refer to ISO/IEC 27001 and ISO/IEC 27002, vendor literature and other technical references, as necessary.\nThis standard applies to:\na) all organisations requiring the ICT DR services as part of their business (whether in-house and/or outsourced);\nb) ICT DR service providers in their provision of ICT DR services; and\nc) communities of organisations with reciprocal or mutual arrangements relating to ICT DR services.\nCertification categories\nICT DR service providers to be certified can be divided into two distinct categories: disaster recovery facility provider and disaster recovery service provider. Certification of the former examines physical infrastructure while certification of the latter examines its service capability.\nDisaster recovery facility provider certification\nThe following clauses apply to disaster recovery facility provider certification:\na) Clause 5;\nb) Clause 6; and\nc) Clause 8.\nDisaster recovery service provider certification\nThe following clauses apply to disaster recovery service provider certification:\na) Clause 5;\nb) Clause 6;\nc) Clause 7; and\nd) Clause 8.\nExemption for internal service providers\nFor internal service providers, the following clauses are not applicable if they only provide services to one production site:\na) Clause 5.4;\nb) Clause 5.5;\nc) Clause 7.6;\nd) Clause 7.7;