The recent Energy Crisis has highlighted how critical energy supplies are to the running of our daily operations. It is therefore a very good opportunity to explain the difference between Business Continuity Planning (BCP) and Disaster Recovery (DR).
Let’s start by defining what a disaster is and providing some examples.
Disaster Scenarios
A situation where widespread human, material, economic or environmental losses have occurred which exceeded the ability of the affected organization, community or society to respond and recover using its own resources.
- Natural disasters (earthquakes, hurricanes, wildfires, etc.).
- Fires and floods in offices or on-site server rooms.
- Regional or local power outages.
- Disease outbreaks and pandemics.
- Theft, vandalism, and similar criminal acts.
- Cyber-attacks (such as ransomware, DDoS attacks, phishing attempts, APT attacks, etc.).
- Attempts at CEO fraud.
- Loss of connectivity and software failures.
- Data center disasters.
- Threats to data integrity and safety (such as data breach or corruption).
What is the difference between an Incident and a Disaster?
The difference is that an incident is a situation that might be, or could lead to a disruption, or a loss, or in a situation of emergency or crisis, while a disaster always is a situation that implies a serious damage to the organization
Business Continuity Plan (BCP)
According to ISO 22301, business continuity plan is defined as “documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.”
BCP focuses on developing plans/procedures, but it doesn’t include the analysis that forms the basis of such planning, nor the means of maintaining such plans – all these are required elements of business continuity management that are necessary for enabling successful contingency planning.
The goal of BCP is to minimize downtime in the event of an incident.
Moreover it temporarily addresses the incident to maintain critical business functions until the disruption is gone.
Disaster Recovery
Disaster recovery is a standard set of policies and procedures that a business or organization puts in place and follows to protect itself and its personnel in the face of a disaster. Disaster recovery plans (DRPs) can help the business ensure personal and employee safety, hardware, and systems restoration, and take other steps to encourage business continuity. DRPs may include preventative measures, corrective measures, and detective measures to prevent disasters from affecting business as much as possible while mitigating the disaster outcome as reliably as possible.
Disaster recovery is a subset of business continuity planning, and no BC strategy is complete without a plan for restoring IT functions. DR prepares for the same accidents as BC (natural disasters, cyber-attacks, etc.) but focuses solely on restoring software and IT-related assets
ISO Standards
ISO 27031 is a standard for IT disaster recovery. It’s an international standard that specifies how to plan, implement, and maintain disaster recovery systems. The purpose of ISO 27031 is to help organisations ensure that their business continuity plans are able to deal with any type of disaster.
The four areas of ISO 27031 are: Plan, Do, Check, Act.
