Businesses often misinterpret Business Continuity, and Disaster Recovery as one and the same. In addition to that, it also mixed up with Information security. Let us first look all three in its terms and the content.
Disaster Recovery Plan (DRP) is mainly attached to Information Technology and its process. It covers IT Infrastructure, Application Systems, Servers, Desktops and other peripherals to function the Information Systems. DRP talks about the recovery of storage, network, and application crash, database failure, records or information that is damaged. It’s more of the process to bring up the IT activity or IT related function as when any threat or damage occurs. It includes Alternative site, Backup procedure, Offsite replication, redundant server, storage, network components, etc.
On the other hand, Business Continuity Management (BCM) is the holistic approach of protecting business including people, assets, function, process and procedure. It is an approach or management to continue the business within the stipulated time or period in the event of any disaster or interruption occurs to the business and its function. ISO 22301 governs the implementation of Business Continuity approach.
Information security is embedded in the business to protect the flow of information with the principle of confidentiality, Integrity, and Authenticity (CIA) triad model. In a broader term, the information is classified who should know, assured for the quality of information that has not tampered, and available for authorised access when it is needed. ISO 27001 governs Information Security that not only specifies the standards also technical and human aspects to protect the information either it is manual or automated with technology.
Let’s recap: BCM stands for the whole business and encompasses more than just IT. BCM needs to be implemented according to ISO 22301.
BCM is certainly not an IT-internal issue and covers a lot of non-IT aspects as well. A proper Information Security implementation is an essential and ideal building block for a holistic BCM approach.
DRP is a specific, reactive discipline aimed at restoring IT systems that have malfunctioned. It is a crucial element of both Business Continuity and Information Security but is void if it functions in silos. As a stand-alone, Disaster Recovery neither provides protection for business, nor a substitute for an Information Security Management.
However, IT is an important pillar and integral part of today’s business, and it should not be covered within Disaster recovery plan, but in Business Continuity (BCM) approach. Hence, it requires a dedicated implementation according to ISO 27000 standards, mainly to protect the assets and information by enforcing ISO 27001 information security management system (ISMS).
Anitech consulting provides consulting services and can assist organisations on how to implement and audit an information security management system (ISMS) in compliance to the specific requirements of ISO/IEC 27001. Contact us for a quote.