Disaster Recovery

Technical Resource kits | Best practise research | Guided Implementation | DRP & BCM ISMS

What is DR ?

Disaster recovery involves a set of policies, tools, and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the information technology (IT) or technology systems supporting critical business functions as opposed to business continuity. This involves keeping all essential aspects of a business functioning despite significant disruptive events; it can therefore be considered a subset of business continuity.Disaster recovery assumes that the primary site is not recoverable for some time and represents a process of restoring data and services to a secondary survived site, which is opposite to restoring it back to its original place.

IT service continuity

IT Service Continuity (ITSC) is a subset of business continuity planning (BCP)that focuses on Recovery Point Objective (RPO) and Recovery Time Objective (RTO). It encompasses two kinds of planning; IT disaster recovery planning and wider IT resilience planning. It also incorporates IT infrastructure and services related to communications, such as (voice) telephony and data communications.

IT Service Continuity Management (ITSCM) aims to manage risks that could seriously impact IT services. This ITIL process ensures that the IT service provider can always provide minimum agreed Service Levels, by reducing the risk from disaster events to an acceptable level and planning for the recovery of IT services. ITSCM should be designed to support Business Continuity Management.

The Recovery Time Objectives

The Recovery Time Objective (RTO)is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

According to business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner(s) of the process, including identifying time frames for alternate or manual workarounds.

Literature on the subject refers to RTO as a complement of Recovery Point Objective (RPO), with two metrics describing the limits of acceptable or “tolerable” ITSC performance. RTO and RPO gauges ITSC performance in terms of time lost from normal business process functioning and data lost or not backed up during that period (RPO), respectively


Planning for disaster recovery and information technology (IT) developed in the mid to late 1970s as computer center managers began to recognize the dependence of their organizations on their computer systems.

At that time, most systems were batch-oriented mainframes. Another offsite mainframe could be loaded from backup tapes pending recovery of the primary site; downtime was relatively less critical.The disaster recovery industry developed to provide backup computer centers. One of the earliest such centers was located in Sri Lanka (Sungard Availability Services, 1978).

During the 1980s and 90s, as internal corporate timesharing, online data entry and real-time processing grew, more availability of IT systems was needed.Regulatory agencies became involved even before the rapid growth of the Internet during the 2000s; objectives of 2, 3, 4 or 5 nines (99.999%) were often mandated, and high-availability solutions for hot-site facilities were sought.

IT Service Continuity is essential for many organizations in the implementation of Business Continuity Management (BCM) and Information Security Management (ICM) and as part of the implementation and operation information security management as well as business continuity management as specified in ISO/IEC 27001 and ISO 22301 respectively.

The rise of cloud computing since 2010 continues that trend: nowadays, it matters even less where computing services are physically served, just so long as the network itself is sufficiently reliable (a separate issue, and less of a concern since modern networks are highly resilient by design). ‘Recovery as a Service’ (RaaS) is one of the security features or benefits of cloud computing being promoted by the Cloud Security Alliance