SINGAPORE STANDARD

SS 507 : 2008
(ICS 35.040)

















SINGAPORE STANDARD FOR
Information and
communications technology
disaster recovery services

















Published by
SPRING Singapore
2 Bukit Merah Central
Singapore 159835
SPRING Singapore Website: www.spring.gov.sg
Standards Website: www.standards.org.sg


SINGAPORE STANDARD
SS 507 : 2008
(ICS 35.040)

















SINGAPORE STANDARD FOR
Information and
communications technology
disaster recovery services










All rights reserved. Unless otherwise specified, no part of this Singapore
Standard may be reproduced or utilised in any form or by any means,
electronic or mechanical, including photocopying and microfilming, without
permission in writing from SPRING Singapore at the address below:

Head
Standardisation Department
SPRING Singapore
2 Bukit Merah Central
Singapore 159835
Telephone: 62786666 Telefax: 62786667
Email: stn@spring.gov.sg

ISBN 981-4154-60-1


SS 507 : 2008

5
Contents
Page

National Foreword 8
Foreword 10


CLAUSES

0 Introduction 11
0.1 General 11
0.2 Structure 11
0.3 Framework 12
0.4 Interpretation of clauses 13
1 Scope 14
1.1 General 14
1.2 Exclusions 14
1.3 Audience 14
1.4 Certification 15
2 Normative references 15
3 Terms and definitions 16
4 Abbreviated terms 17
5 ICT disaster recovery 17
5.1 General 17
5.2 Environmental stability 17
5.3 Asset management 18
5.4 Proximity of site 19
5.5 Vendor management 19
5.6 Outsourcing arrangements 20
5.7 Information security 21
5.8 Activation and deactivation of disaster recovery plan 23
5.9 Training and education 24
5.10 Testing on ICT systems 25
5.11 Business continuity planning for ICT DR service providers 26
5.12 Documentation and periodic review 27
6 ICT disaster recovery facilities 27
6.1 General 27
6.2 Location of recovery sites 27
6.3 Physical access controls 29
6.4 Physical facility security 33
6.5 Dedicated areas 37
6.6 Environmental controls 38
SS 507 : 2008

6
Page

6.7 Telecommunications 39
6.8 Power supply 41
6.9 Cable management 43
6.10 Fire protection 44
6.11 Emergency operations centre (EOC) 46
6.12 Restricted facilities 47
6.13 Non-recovery amenities 50
6.14 Physical facilities and support equipment life cycle 51
6.15 Testing 53
7 Outsourced service providers capability 55
7.1 General 55
7.2 Review organisation disaster recovery status 55
7.3 Facilities requirements 57
7.4 Expertise 57
7.5 Logical access control 59
7.6 ICT equipment and operation readiness 61
7.7 Simultaneous recovery support 63
7.8 Levels of services 63
7.9 Types of services 64
7.10 Proximity of services 65
7.11 Subscription ratio for shared services 66
7.12 Activation of subscribed services 66
7.13 Organisation testing 66
7.14 Changes in capability 67
7.15 Emergency response plan 68
7.16 Self assessment 70
8 Selection of recovery sites 72
8.1 General 72
8.2 Infrastructure 72
8.3 Skilled manpower and support 73
8.4 Critical mass of vendors and suppliers 73
8.5 Local service providers track records 73
8.6 Proactive local support 73
9 Continuous improvement 74
9.1 General 74
9.2 ICT DR trends 74
9.3 Performance measurement 75
9.4 Scalability 75
9.5 Risk mitigation 76
SS 507 : 2008

7
Page

ANNEX

A Correspondence between ISO/IEC 27002 and this Singapore Standard 78


FIGURES

1 ICT DR service provision framework 12
2 Business continuity planning approach 26
3 Disaster recovery planning approach 56


Bibliography 80


SS 507 : 2008

8
National Foreword


This Singapore Standard was prepared by the Technical Committee on Security and Privacy
Standards under the purview of the Information Technology Standards Committee.

This standard is a revision of SS 507, first published in 2004. Within the few years after the 2004
edition has been published, a number of service providers, both commercial providers and internal
support service providers, have been certified to this standard.

The revised standard is a modified adoption of ISO/IEC 24762 : 2008 Guidelines for information
and communications technology disaster recovery services, and redrafted to incorporate the
modifications to the standard. The modifications are specified below:

Clause/Subclause Modification
General Changed all should to shall to specify the clauses as requirements,
except those clauses that need to remain as optional requirements.
Changed all relevant guidance to requirements to specify the clauses
as requirements.
Clause 1.4 Included a new clause 1.4 in to specify certification types and their
respective applicable clauses.
Clause 7.15.2 Added a note to explain how the clause can practically apply to
outsourced service providers.

The awareness of information communications technology disaster recovery (ICT DR) services has
grown due to threats from terrorism and geopolitical tension. There are increased threats to the
resilience of companies' IT and telecommunications infrastructure worldwide. Enterprises are looking
at alternative locations for recovery purposes in the event of disruptions.

There is a strong value chain of service providers supporting the ICT DR cluster in Singapore. ICT DR
service providers face challenges such as a need to differentiate themselves to retain competitive
advantage and a need to maintain and constantly improve service levels.

Some concerns faced by the end-user organisations include the lack of clarity over the different type
of service providers and the risk involved in outsourcing arrangements, especially for ICT DR
functions.

It is targeted at ICT DR service providers (internal and outsourced) that wish to get certified under the
standard as well as at ICT DR service providers and organisations that use the standard as a
reference document.

This standard also provides a basis to certify and differentiate the outsourced ICT DR service
providers, helps the end user organisations in selecting the best-fit service providers and provides
quality assurance. It also establishes industry best practices to mitigate outsourcing risks.

Attention is drawn to the possibility that some of the elements of this Singapore Standard may be the
subject of patent rights. SPRING Singapore shall not be held responsible for identifying any or all of
such patent rights.



NOTE
1. Singapore Standards are subject to periodic review to keep abreast of technological changes and new
technical developments. The changes in Singapore Standards are documented through the issue of either
amendments or revisions.

2. Compliance with a Singapore Standard does not exempt users from legal obligations.

SS 507 : 2008

10
Foreword


ISO (the International Organisation for Standardisation) is a worldwide federation of national
standards bodies (ISO member bodies). The work of preparing International Standards is normally
carried out through ISO technical committees. Each member body interested in a subject for which a
technical committee has been established has the right to be represented on that committee.
International organisations, governmental and non-governmental, in liaison with ISO, also take part in
the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
matters of electrotechnical standardisation.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part
2.

The main task of technical committees is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75% of the member bodies
casting a vote

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 24762 was prepared by Technical Committee ISO/TC J TC1, Information technology,
Subcommittee SC 27, IT security techniques.

.
SS 507 : 2008

11


Singapore Standard for information and communications
technology disaster recovery services


0 Introduction

0.1 General

This standard is aimed at aiding the operation of an Information Security Management System (ISMS)
by providing certifiable specification on the provision of information and communications technology
disaster recovery (ICT DR) services as part of business continuity management.

Information security management is the process by which management aims to achieve effective
confidentiality, integrity and availability of information and service. When an organisation
implements an ISMS the risks of interruptions to business activities for any reason shall always
be identified.

ISO/IEC 27001 and ISO/IEC 27002 include a control objective for information security aspects of
business continuity management (refer to Control Objective 14.1 in ISO/IEC 27002 : 2005), the
implementation of which will reduce those risks. That control objective is supported by controls to be
selected and implemented as part of the ISMS process.

Business continuity management is an integral part of a holistic risk management process that
safeguards the interests of an organisations key stakeholders, reputation, brand and value creating
activities through:

a) identifying potential threats that may cause adverse impacts on an organisations business
operations, and associated risks;

b) providing a framework for building resilience for business operations;

c) providing capabilities, facilities, processes, action task lists, etc., for effective responses to
disasters and failures.

In planning for business continuity, the fallback arrangements for information processing and
communication facilities become beneficial during periods of minor outages and essential for
ensuring information and service availability during a disaster or failure for the (complete) recovery of
activities over a period of time. Such fallback arrangements may include arrangements with third
parties in the form of reciprocal agreements, or commercial subscription services.

SS 507 : 2008

14






1 Scope

1.1 General

This standard describes the basic practices which ICT DR service providers, both in-house and
outsourced, shall consider.

It covers the requirements that service providers shall meet, recognising that individual organisations
may have additional requirements that are specific to them (which would have to be addressed in the
agreements/contracts with service providers). Examples of such organisation requirements may
include special encryption software and secured operation procedures, equipment, knowledgeable
personnel and application documentation. Such additional organisation specific requirements, if
necessary, are generally negotiated on a case-by-case basis and are the subject of detailed contract
negotiations between organisations and their ICT DR service providers and are not within the scope
of this standard.