Full Text

Creating and testing a disaster recovery plan is one of the key elements of business continuity management. Traditionally business continuity and disaster recovery (DR) planning have always been separated between the business and the information technology (IT) departments, but it has long been recognised that this " divide " creates more problems than it solves. After all, most businesses could not continue to operate successfully if their IT services were unavailable for a period of time. The recent launch of BS 25999 has established a Business Continuity Management (BCM) standard which intrinsically links BCM, Incident Management and IT DR. Essentially the key message is that to have true business continuity, you must also have strong IT DR capability.

A disaster recovery plan should interface with the overall business continuity management plan. In the case of both, it's important to be clear and concise, to focus on the key activities required to recover the critical IT services, and to test, review and update on a regular basis.

Why bother?

Well, the simple answer is that information is the lifeblood of any organisation, and operating without it is a 'non-starter'. More specifically there are two key recovery objectives:

The recovery time objective (RTO)

How long can my business continue to function without the critical IT services? How quickly must I recover the service from the decision to invoke?

The recovery point objective (RPO)

From what time in my processing cycle am I going to recover my data? How much data am I prepared to lose or have to re-enter from an alternate source? There are several types of data loss, namely:

* zero data loss, recovery to the point of failure;

* start of the current business day (SoD);

* end of the previous business day (EoD);

* intraday, a point between the last available backup, either SoD or EoD, and the time of failure (midday, for example);

* period end, the weekly or monthly backup.

How long could I survive without a Recovery Plan?

There is an additional measure - the Maximum Tolerable Period of Disruption (MTPD), which is the maximum time that a business will survive from the initial service interruption.

The recovery objectives must be based upon solid business requirements identified by the...