What’s the difference between business continuity and disaster recovery? and why is it important? , business continuity , disaster, disaster recovery plan, disaster recovery, business continuity plan, continuity, ISO, ISO standards, ISO 22301

The Difference Between Business Continuity and Disaster Recovery

We are often asked whether the terms business continuity (BC) and disaster recovery (DR) mean or represent the same thing and if not what are the key differences.

This top tip will provide some clarity on the respective definitions and in doing so ensure your organisation is prepared to deal with both BC and DR incidents.

Here’s an interesting fact …did you know that the term ‘Disaster Recovery’ is not mentioned in the entire ISO 22301:2012 Business Continuity Management Standard. Not once.

So, let’s get down to definitions. Whilst they are intrinsically linked and often work towards the same goal, they are not the same thing.

BC relates to the ‘capability of an organisation to continue the delivery of products or services within acceptable time frames at predefined capacity during a disruption’. (as per ISO/FDIS 22301:2019)

DR, on the other hand, relates to the strategies and plans for recovering and restoring the organisation’s technological infrastructure/ vital support systems and capabilities after a serious interruption, e.g. communications, hardware, software and IT assets. The goal of disaster recovery is to restore technical operations in the shortest space of time.

Whilst the focus of DR is on technical infrastructure, BC takes a more holistic approach and is concerned with any factor which can impact on the business continuing to operate, e.g. in addition to a loss of infrastructure, a loss of:

► People

► Workplace

► Supply chain

► Reputation/Brand

It may be easier to think of it like this…

A DR incident is always going to be a BC incident, however not all BC incidents will involve the use of DR plans or arrangements. BC is the umbrella term encompassing DR which is often a critical component in certain types of incidents. For example, the loss of an organisation’s premises, through fire or natural disaster or experiencing an IT outage such as ransomware or malware attack will undoubtedly lead to the use of any DR arrangements as part of the BC incident management response to those incidents.

However, a staff welfare issue such as a contagious bug or reputational issue from perhaps a scandal or social media posting, and even potentially a critical supply chain failure would likely not require the use of
any DR arrangements.

In summary, BC has a much wider scope than DR. DR is only a subset of BC planning. The starting point for any organisation planning for BC and DR is undoubtedly the business impact analysis (BIA) and risk assessment. Conducting a BIA / risk assessment will help determine the organisation’s crown jewels and the critical activities that underpin the key services. In a later blog, we will be providing advice and tips on how to conduct BIAs and risk assessments.


This 5 day certificate course, which is delivered by trainers who are business continuity practitioners, is closely aligned to current standards such as ISO 22301, the International Standard for Business Continuity as well as the Business Continuity Institute’s (BCI’s) Good Practice Guidelines.

URM’s BCS Certificate in Information Security Management Principles (CISMP) 5 day course provides you with a detailed but holistic understanding of the concepts which underpin information security management. URM’s CISMP course is the only course in the UK to have been certified both by CIISec and as part of the GCHQ Certified Training (GCT) scheme.

This 5 day course, which is delivered by trainers with practitioner backgrounds, leans heavily on practical exercises to provide you with extensive hands-on experience of all the key components of the risk management process.