Business Continuity Management vs. Information Security vs. IT Disaster Recovery

For outsiders, it’s not easy to distinguish among the specific purposes of Business Continuity Management (BCM), Information Security (IS), and IT Disaster Recovery (IT DR). All three areas have something to do with “security,” “losses,” “disasters,” and “protection.” Read on to learn more about the particular roles of disciplines often being misunderstood by management.

For starters, let’s have a look at the definitions (in practical terms, not the rather dry official definitions).

Business Continuity Management (BCM)

As the name says, BCM protects enterprises (whole businesses) from undesirable and uncontrollable consequences of business interruptions. Staff being the most precious resource of an organization, protecting employees’ lives is of highest priority. Of course, apart from this aspect, typically there is a whole range of critical assets and resources to be protected, too. In the context of this article, IT can be considered one such critical resource. Implementation of a business continuity approach is governed by ISO 22301.

Various flavors of interruptions

Interruptions may or may not have anything to do with IT systems. They may be up and running, but if a major supply chain has been interrupted, production may stop unexpectedly and indefinitely. If a fire destroys a warehouse, your deliveries to customers might be affected. If staff is unable to reach the organization’s call center because of bad weather, sales or customer service will be impacted.


Information Security (IS)

Information Security, as specified in the ISO 27000 series of standards, deals with the proper, safe, and secure handling  of information within an organization. This range of standards (with its flagship ISO 27001) focuses not only on technical issues, but also deals with handling information on paper and human aspects such as social engineering.

Information Security in a nutshell

One model to express the essence of Information Security is the CIA model. The acronym stands for confidentiality, integrity, and availability. According to widely accepted best practices, information needs to be classified (e.g., public, internal, or confidential), which means that access is to be organized on a “need-to-know” basis. Integrity provides assurance that the results presented by IT systems can be trusted and have not been (intentionally or otherwise) tampered with. “A” stands for availability – a characteristic of the information by which it can be accessed by authorized persons when it is needed. For example: an IT system that is not running or is not accessible is of no use. If this IT system is of importance to the organization (to the business), it is of interest for the BCM approach, too. Here we have an important overlap.

Read the article: The basic logic of ISO 27001: How does information security work? to learn more about Information Security.

IT Disaster Recovery (IT DR)

If we experience a system that is not available, we have every reason to get it up and running within a specified period of time. This timeframe, in turn, is determined during the business impact analysis phase of the BCM lifecycle (as per ISO 22301 and ISO 22317). Defining the proper IT DR parameters is important within the context of both Information Security and Business Continuity Management. ISO 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, IT DR being part of this approach.

Read the article: Understanding IT disaster recovery according to ISO 27031 to learn more about disaster recovery according to ISO 27031.

Waiting for the disaster?

However, IT DR is only a reactive activity; a proper BCM and IS approach equally demands proactive and preventive measures to reduce both the probability and impact caused by an IT outage disaster. This is realized by properly designing the affected IT systems, usually by adding redundant elements, thereby avoiding so-called “single points of failure” (abbreviated as SPOF).

Let’s be careful with these three terms

We need to be. Let’s reiterate: the “B” in BCM stands for the whole business and encompasses more than just IT. BCM needs to be implemented according to ISO 22301.

However, IT usually is a very important pillar of the organization. As such, IT should not be excluded from a BCM approach, but needs dedicated implementation according to the ISO 27000 range of standards.

IT DR is a specific, reactive discipline aimed at restoring IT systems that have stopped operating. It is a crucial element of both BCM and IS, but is quite useless if used as a single measure. As a stand-alone tactic, IT DR neither provides adequate protection for a business, nor is it a replacement for an Information Security approach.

BCM is certainly not an IT-internal issue, and covers a lot of non-IT aspects as well. A proper Information Security implementation is an essential and ideal building block for a holistic BCM approach.

Read this free white paper  Integration of Information Security, IT and Corporate Governance to learn how to integrate different systems within the company.