Disaster recovery vs. business continuity

Updated: December 15, 2023.

Has it ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department? Why is business continuity usually identified with information technology?

This is probably because business continuity has its roots in disaster recovery, and disaster recovery basically is all about information technology. Twenty or thirty years ago business continuity (BC) did not exist as a concept, but disaster recovery (DR) did – the main concern was how to save the data if a disaster occurred. At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organization would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location.

But after a while it was realized – what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born – it’s purpose is to enable the business to keep going on, even if in case of a major disruption.

Business continuity is the concept of enabling a company to continue its business operations after a disruption, whereas disaster recovery is about enabling the recovery of IT systems that support the business continuity.

Definitions

Let’s take a look at the definitions – business continuity is the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption” (ISO 22300:2021), while disaster recovery is “the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster” (Wikipedia.org).

As you can see from the definitions, the emphasis in DR is on technology (i.e., in Recovery Time Objectives and Recovery Point Objectives), while in BC it is on business operations. Therefore, disaster recovery is part of business continuity – you might consider it as one of the main enablers of business operations, or the technological part of business continuity.

However, you may have noticed something else too – the definition of BC is quoted from ISO 22300, the vocabulary document for ISO 22301, the leading ISO standard on business continuity management, while the definition of DR is quoted from Wikipedia – actually, “business continuity” is an official term recognized in standards, while “disaster recovery” is not.

Business continuity and disaster recovery

Implications for implementation

So why is it a bad idea for an IT department to implement business continuity for the whole organization? Because business continuity is primarily a business issue, not an IT issue. If the IT department was implementing business continuity for the whole organization, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a question whether it would achieve commitment from the business parts of the organization.

The best way to organize the implementation of BC is for the business side to lead such a project – this is how you would achieve greater awareness and acceptance of all parts of the organization. The IT department should play its role in such a project – a key role – to prepare disaster recovery plans.

Check out this ISO 22301 Documentation Toolkit that enables you to implement business continuity and disaster recovery according to this standard.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.