{"id":10876,"date":"2017-02-27T17:48:52","date_gmt":"2017-02-27T17:48:52","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=10876"},"modified":"2024-12-21T13:36:08","modified_gmt":"2024-12-21T13:36:08","slug":"business-continuity-management-vs-information-security-vs-it-disaster-recovery","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2017\/02\/27\/business-continuity-management-vs-information-security-vs-it-disaster-recovery\/","title":{"rendered":"Business Continuity Management vs. Information Security vs. IT Disaster Recovery"},"content":{"rendered":"<p>For outsiders, it\u2019s not easy to distinguish among the specific purposes of Business Continuity Management (BCM), Information Security (IS), and IT Disaster Recovery (IT DR). All three areas have something to do with \u201csecurity,\u201d \u201closses,\u201d \u201cdisasters,\u201d and \u201cprotection.\u201d Read on to learn more about the particular roles of disciplines often being misunderstood by management.<\/p>\n<p>For starters, let\u2019s have a look at the definitions (in practical terms, not the rather dry official definitions).<\/p>\n<h2>Business Continuity Management (BCM)<\/h2>\n<p>As the name says, <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/business-continuity-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">BCM<\/a> protects enterprises (whole businesses) from undesirable and uncontrollable consequences of business interruptions. Staff being the most precious resource of an organization, protecting employees\u2019 lives is of highest priority. Of course, apart from this aspect, typically there is a whole range of critical assets and resources to be protected, too. In the context of this article, IT can be considered one such critical resource. Implementation of a business continuity approach is governed by <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a>.<\/p>\n<h4 style=\"padding-bottom: 5px;\">Various flavors of interruptions<\/h4>\n<p>Interruptions may or may not have anything to do with IT systems. They may be up and running, but if a major supply chain has been interrupted, production may stop unexpectedly and indefinitely. If a fire destroys a warehouse, your deliveries to customers might be affected. If staff is unable to reach the organization\u2019s call center because of bad weather, sales or customer service will be impacted.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Information Security (IS)<\/h2>\n<p><a href=\"\/27001academy\/documentation\/information-security-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">Information Security<\/a>, as specified in the ISO 27000 series of standards, deals with the proper, safe, and secure handling \u00a0of information within an organization. This range of standards (with its flagship <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>) focuses not only on technical issues, but also deals with handling information on paper and human aspects such as social engineering.<\/p>\n<h4 style=\"padding-bottom: 5px;\">Information Security in a nutshell<\/h4>\n<p>One model to express the essence of Information Security is the CIA model. The acronym stands for confidentiality, integrity, and availability. According to widely accepted best practices, information needs to be classified (e.g., public, internal, or confidential), which means that access is to be organized on a \u201cneed-to-know\u201d basis. Integrity provides assurance that the results presented by IT systems can be trusted and have not been (intentionally or otherwise) tampered with. \u201cA\u201d stands for availability \u2013 a characteristic of the information by which it can be accessed by authorized persons when it is needed. For example: an IT system that is not running or is not accessible is of no use. If this IT system is of importance to the organization (to the business), it is of interest for the BCM approach, too. Here we have an important overlap.<\/p>\n<p>Read the article: <a href=\"\/27001academy\/knowledgebase\/the-basic-logic-of-iso-27001-how-does-information-security-work\/\" target=\"_blank\" rel=\"noopener noreferrer\">The basic logic of ISO 27001: How does information security work?<\/a>\u00a0to learn more about Information Security.<\/p>\n<h2>IT Disaster Recovery (IT DR)<\/h2>\n<p>If we experience a system that is not available, we have every reason to get it up and running within a specified period of time. This timeframe, in turn, is determined during the business impact analysis phase of the BCM lifecycle (as per ISO 22301 and ISO 22317). Defining the proper IT DR parameters is important within the context of both Information Security and Business Continuity Management. ISO 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, IT DR being part of this approach.<\/p>\n<p>Read the article: <a href=\"\/27001academy\/blog\/2015\/09\/21\/understanding-it-disaster-recovery-according-to-iso-27031\/\">Understanding IT disaster recovery according to ISO 27031<\/a> to learn more about disaster recovery according to ISO 27031.<\/p>\n<h4 style=\"padding-bottom: 5px;\">Waiting for the disaster?<\/h4>\n<p>However, <a href=\"\/27001academy\/documentation\/disaster-recovery-plan\/\" target=\"_blank\" rel=\"noopener noreferrer\">IT DR<\/a>\u00a0is only a reactive activity; a proper BCM and IS approach equally demands proactive and preventive measures to reduce both the probability and impact caused by an IT outage disaster. This is realized by properly designing the affected IT systems, usually by adding redundant elements, thereby avoiding so-called \u201csingle points of failure\u201d (abbreviated as SPOF).<\/p>\n<h2>Let\u2019s be careful with these three terms<\/h2>\n<p>We need to be. Let\u2019s reiterate: the \u201cB\u201d in BCM stands for the whole business and encompasses more than just IT. BCM needs to be implemented according to ISO 22301.<\/p>\n<p>However, IT usually is a very important pillar of the organization. As such, IT should not be excluded from a BCM approach, but needs dedicated implementation according to the ISO 27000 range of standards.<\/p>\n<p>IT DR is a specific, reactive discipline aimed at restoring IT systems that have stopped operating. It is a crucial element of both BCM and IS, but is quite useless if used as a single measure. As a stand-alone tactic, IT DR neither provides adequate protection for a business, nor is it a replacement for an Information Security approach.<\/p>\n<p>BCM is certainly not an IT-internal issue, and covers a lot of non-IT aspects as well. A proper Information Security implementation is an essential and ideal building block for a holistic BCM approach.<\/p>\n<p><em>To implement ISO 22301 easily and efficiently, use our<\/em>\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/iso22301-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 22301 Documentation Toolkit<\/a>\u00a0<em>that provides step-by-step guidance and all documents for full ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>For outsiders, it\u2019s not easy to distinguish among the specific purposes of Business Continuity Management (BCM), Information Security (IS), and IT Disaster Recovery (IT DR). All three areas have something to do with \u201csecurity,\u201d \u201closses,\u201d \u201cdisasters,\u201d and \u201cprotection.\u201d Read on to learn more about the particular roles of disciplines often being misunderstood by management. For &#8230;<\/p>\n","protected":false},"author":45,"featured_media":10877,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[378,379,381,850,1581,1582,1583],"class_list":["post-10876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-business-continuity","tag-information-security","tag-iso-27001","tag-iso-27031","tag-iso-22031","tag-it","tag-it-disaster-recovery"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/45"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=10876"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10876\/revisions"}],"predecessor-version":[{"id":103237,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10876\/revisions\/103237"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/10877"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=10876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=10876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=10876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}