Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Knowledge base

    Disaster recovery site – What is the ideal distance from primary site?

    The alternative site for your data center must be 50 miles away from the primary site. No, make that 100 miles… or is it 200 miles? Or perhaps kilometers? Well, none of this is correct – the truth is, there is no one-size-fits-all answer to this question.

    Regulations and standards

    Is there a simple answer when it comes to requirements for disaster recovery site distance? Let me start with an example here – in 2002 and 2003, U.S. federal regulators had planned to require financial institutions to move their disaster recovery centers 200 or 300 miles away from primary sites. However, this initiative had failed not only because the banks have strongly opposed such regulation, but also because it has proved to be quite unfeasible.

    The situation in the majority of other countries is similar. Of course, I’m not familiar with every regulation in the world, but from those I read, I didn’t find any with a precise definition. (If I’m wrong, feel free to add such regulations in the comments below.) Most of the regulations that deal with this matter do, however, say there must be a disaster recovery site at a “safe distance.”

    Regarding standards, the situation is similar – neither ISO 22301 (new international business continuity standard), nor BS 25999-2 (its predecessor), or any of the standards from NIST SP 800 or ISO 27k series are precise about it.

    Risk assessment

    So, the decision is obviously left to the companies themselves – and such decisions cannot be made based on someone’s feeling, but on a study. In this case, a study is called “risk assessment,” and its purpose is to take into account all the relevant factors.

    Here are the factors that tend to push the location further away:

    • Earthquakes – if your location is in a seismic-sensitive area
    • Floods – you should position an alternative site out of the same flood plain
    • Tsunamis – you shouldn’t place both primary and secondary location on the coast of an ocean
    • Other natural disasters – e.g. forest fires, tornados/hurricanes, volcanos – if your primary site is close to such areas, the disaster recovery site should be further away
    • Large industrial facilities, nuclear power plants, or military installations – again, at least one of your locations should be at a safe distance
    • Dependence on the same source of electrical power – you should look for locations on a different power grid
    • Even if your risk assessment proves none of the above are applicable to you, take into account risks like pandemic diseases – in such cases, authorities will likely close the whole metropolitan area

    However, there are some factors that force you to position a disaster recovery location as close as possible:

    • Telecommunication links – the further the sites are away, the more difficult it becomes (i.e. more costly) to replicate the data between these sites
    • If your employees are expected to travel to an alternative site in case of disaster – they have to be able to make it within the RTO (Recovery Time Objective); besides, the road between the sites shouldn’t be full of bridges and tunnels.

    Main problems – small countries and small budgets

    From the position of United States (or for that matter, Canada), the distance of few hundred miles is never a problem; imagine now you are a company in a European country with the geographical size of the Los Angeles metropolitan area, and the population of one city block in L.A. In such situations, the easiest solution would be to position a disaster recovery site in a neighboring country with compatible laws and regulations.

    The main problem is usually the cost – building such a site and maintaining it costs far more than just an ordinary office building. This is why you could rent such a space for your alternative data center site from companies specialized in disaster recovery services. Or, there is a cloud computing option, but this is a completely different story…

    To conclude, to mitigate most of the risks I would suggest you place a disaster recovery location somewhere between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location. But again, please do your risk assessment first.

    Click here to see a template of  Business Continuity Strategy that will help you with making decisions about disaster recovery locations.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.