ISO 27001 & ISO 22301 Blog

Disaster recovery vs Business continuity

Has it ever happened to you that your management has given you the responsibility to implement business continuity just because you are in the IT department? Why is business continuity usually identified with information technology?

This is probably because business continuity has its roots in disaster recovery, and disaster recovery basically is all about information technology. Twenty or thirty years ago business continuity (BC) did not exist as a concept, but disaster recovery (DR) did – the main concern was how to save the data if a disaster occurred. At that time it was very popular to purchase expensive equipment and place it at a remote location so that all the important data of an organization would be preserved if, for instance, an earthquake would occur. Not only preserved, but also that the data would be processed with more or less the same capacity as if it was at the main location.

But after a while it was realized – what use would there be of the data if there were no business operations to use such data? This was how the business continuity idea was born – it’s purpose is to enable the business to keep going on, even if in case of a major disruption.


Let’s take a look at the definitions – business continuity is the “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level” (BS 25999-2:2007), while disaster recovery is “the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster” (

As you can see from the definitions, the emphasis in DR is on technology, while in BC it is on business operations. Therefore, disaster recovery is part of business continuity – you might consider it as one of the main enablers of business operations, or the technological part of business continuity.

However, you may have noticed something else too – the definition of BC is quoted from BS 25999-2, the leading standard on business continuity management, while the definition of DR is quoted from Wikipedia – actually, “business continuity” is an official term recognized in standards, while “disaster recovery” is not.

Implications for implementation

So why is it a bad idea for an IT department to implement business continuity for the whole organization? Because business continuity is primarily a business issue, not an IT issue. If the IT department was implementing business continuity for the whole organization, it would neither be able to define the criticality of business activities, nor the criticality of information. Further, it is a question whether it would achieve commitment from the business parts of the organization.

The best way to organize the implementation of BC is for the business side to lead such a project – this is how you would achieve greater awareness and acceptance of all parts of the organization. The IT department should play its role in such a project – a key role – to prepare disaster recovery plans.

Check out this webinar Implementing Business Impact Analysis according to ISO 22301 that explains how to define RTO and RPO for business critical activities.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 expert, Dejan helps companies find the best way to obtain certification by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: