Disaster recovery – preparedness for emergencies

The facts in a nutshell 

• Disaster recovery is the process of maintaining operations in the event of a disaster, and it always follows a similar procedure.  
• The steps a company takes in the event of a disaster are defined in its disaster recovery plan.  
• In a business impact assessment, you first define the most serious potential disasters that could bring your company to a standstill and then set out the respective procedure for each.  
• Disaster recovery is also mentioned in ISO 27001. As such, it is a mandatory prerequisite for certification. 

What does disaster recovery mean?  

Disaster recovery covers the entire process of maintaining or re-establishing operations in the event of a disaster. While this often includes recovering lost data, a step known as the data recovery, disaster recovery overall encompasses a much wider field. 

Take the COVID-19 pandemic, for example. That is a clear example of what amounted to a disaster for many companies but one that did not involve data loss. Instead, companies faced the challenge of keeping business up and running even when most of the workforce was out on sick leave. So, disaster recovery is not limited to IT systems.  

Disaster recovery is the responsibility of the Disaster Recovery Board, which usually consists of: 

• Executive management,  
• The Chief Information Security Officer (CISO) and/or the Information Security Officer (ISO),  
• The Chief Operating Officer (COO),  
• Production management and 
• Any team leads who directly impact business continuity processes. 

The most common disaster recovery methods include:  

• Backups 
• Hot standby (i.e., redundant infrastructure that switches over automatically when components fail) 
• Cold standby (i.e. redundant infrastructure that does not switch over automatically)  

• Dedicated staff 
• Emergency kits 
• A backup computer centre (i.e., one contained in a lorry) 
• Emergency generators 

Disaster recovery in 6 steps 

No matter what disaster hits, disaster recovery always roughly follows the same process:   

Step 1: Disaster detection by the responsible staff 

A possible disaster is detected and brought to the attention of the Disaster Recovery Board, who classifies it accordingly.  

Step 2: Containment 

The disaster is contained. In the event of a hacker attack, for example, containment could consist of taking the entire IT infrastructure off the grid.  

Step 3: Immediate measures  

This step includes any measures capable of restoring operations in the short term; for example, recovering data from backups.  

Step 4: Long-term measures 

Some disasters, such as the COVID-19 pandemic, can last for months. Ransomware attacks can also cripple companies or administrations for weeks, as was the case when the Austrian state of Carinthia was paralysed by hackers. Long-term measures are about keeping the business up and running even in the face of a prolonged disaster. An example here is buying new servers on short notice.   

Step 5: Post-disaster clean-up 

Eventually, every disaster passes and normal business can resume. The post-disaster step is like cleaning up after a party: get an overview, clean up, repair. 

Step 6: Lessons learned  

The first task here is to determine what caused the disaster. Many emergencies, such as natural disasters, are unavoidable, even with the best risk management strategy in place. So in the lessons learned step, it is a question of finding out how to improve your reaction the next time around. However, sometimes a disaster can be traced back to a gap in risk management. If this is the case, the gap needs to be located and closed. 

How to set up a disaster recovery process  

If you want to set up a disaster recovery process in your company from zero, it is advisable to first perform what is known as a business impact assessment. In it, you’ll look into the fifteen to twenty basic risks that could bring your company to its knees. These include natural events such as earthquakes, floods, or lightning strikes, but also IT incidents such as ransomware attacks. Depending on your company’s location and the industry you are active in, you might need to include political events such as civil war in the list as well. 

For each scenario you define in the business impact assessment, you should develop a plan that would allow you to ‘stick it out’, i.e., to keep your business processes running, until the disaster passes. Taken together, the described measures are your disaster recovery plan. 

The disaster recovery plan: the essence for disaster preparedness  

By making a disaster recovery plan, you are drafting your most crucial document for dealing with disasters. Because it is unclear whether there will even be an Internet connection in the event of an emergency, you should make sure your disaster recovery plan is available in both digital and paper form.  

A disaster recovery plan consists of: 

• The business impact assessment with the most important 15–20 scenarios that could have a serious impact on your company,  
• A description of the infrastructure and data recovery measures already in place (such as a redundant data centre, firewalls, etc.),  
• The general procedure in the event of a disaster, and  
• A description of the specific procedure for each scenario, including a flow chart. 

Your plan should also include the contact details of senior management. Now, print your disaster recovery plan and add it to your company’s emergency kits.  

Finally, actual physical cases containing your emergency kit should be hidden in various locations. In addition to your disaster recovery plan, a telephone, credit card, laptop, notepad, and pen are standard equipment for an emergency kit.  

Disaster recovery in the ISO 27001 standard 

Implementing a disaster recovery plan is a good idea for any business. It minimises the likelihood that a business will have to discontinue business operations due to an unexpected incident and declare bankruptcy. In short: disaster recovery is how you prepare for the worst case. 

And if you want to have your information security management system (ISMS) certified according to ISO 27001, there is no avoiding implementing a disaster recovery plan in your company.  

Annex A.17 of ISO 27001 outlines concrete requirements for business continuity management (BCM), i.e. your company’s ability to maintain business operations in, as the standard calls it, ‘adverse situations’. (In the new version of the standard, ISO 27001:2022, the BCM requirements are found in Annex A.5.30.)  

Disaster recovery software makes it easier to prepare for disasters 

By documenting the interdependencies of your company’s information assets, disaster recovery software reveals the vulnerabilities you face. For example, the situation is critical if too many employees need to access the same server for work. If the server goes down, it may paralyse your business.  

Disaster recovery software can also help determine the cause of a disaster after an incident occurs by locating the component that failed. However, while inarguably useful, disaster recovery software is also quite expensive.

Conclusion  

Planning is half the battle. And disaster recovery simply means planning for the worst case. Disaster can strike any company or organisation – at any time and without warning. To avoid knee-jerk reactions and panic, disaster recovery defines in advance the steps your company will take in the event of an emergency.  

Are you working on setting up your disaster recovery plan? Or you are planning to get certified according to ISO 27001 or TISAX? We are happy to help you achieve your goals!