Disaster Recovery

Disaster recovery is the process of restoring IT systems, data and infrastructure after a serious incident. A disaster recovery plan defines how you get your critical systems back up and running with minimum data loss and downtime.

Back to Dictionary

What is disaster recovery?

Disaster recovery is about restoring your IT systems and data when the worst happens. This could be a ransomware attack encrypting your servers, a fire in the server room, a cloud failure at your provider, or a simple hardware failure striking at the worst possible time.

Where a business continuity plan (BCP) covers the entire organisation's ability to maintain operations, disaster recovery focuses specifically on IT. The two plans are closely connected, but disaster recovery is the technical component of the overall contingency.

Without a disaster recovery plan, you depend on luck and improvisation. And that is rarely sufficient when the pressure is highest. A well-considered plan means your employees know exactly what to do, which systems to prioritise, and how quickly you need to be operational again.

RTO and RPO: The two key metrics

Two concepts are absolutely central to disaster recovery:

Recovery Time Objective (RTO) is the maximum time it may take to restore a system after an incident. If your ERP system has an RTO of 4 hours, it must be operational within 4 hours of the outage.

Recovery Point Objective (RPO) is the maximum acceptable data loss measured in time. An RPO of 1 hour means you may lose at most 1 hour's data. This sets requirements for how frequently you take backups.

RTO and RPO are established for each critical system and are based on a business impact analysis that assesses the consequences of downtime and data loss. A customer-facing payment system typically has stricter requirements than an internal document archive.

These metrics drive your technical choices. A low RPO requires frequent backups or real-time replication. A low RTO requires redundant systems that can take over immediately. Both come at a cost, and it is a risk assessment that determines what is proportionate.

Contents of a disaster recovery plan

A good disaster recovery plan contains:

System classification: An overview of all IT systems with their criticality, RTO and RPO.
Backup strategy: What is backed up, how often, where it is stored, and how it is verified. Encryption of backups is essential for protecting personal data.
Recovery procedures: Step-by-step instructions for restoring each critical system.
Roles and responsibilities: Who activates the plan, and who carries out the recovery?
Communication plan: Who must be informed, and when? This applies both internally and externally, including any notification to supervisory authorities in the event of a personal data breach.
Test and exercise plan: Scheduled tests of recovery procedures to verify they work.

The plan must be stored so that it is accessible even when your normal systems are down. This typically means a copy offline or with a trusted third party.

Regulatory requirements for disaster recovery

GDPR Article 32 requires "the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident". This is a direct requirement for disaster recovery for systems processing personal data.

NIS2 requires business continuity measures including backup management and disaster recovery. Essential and important entities must have plans in place and test them regularly.

DORA goes further still for financial undertakings with detailed requirements for ICT continuity plans, recovery tests and reporting to supervisory authorities.

ISO 27001 addresses disaster recovery in Annex A with controls for information security continuity. Your information security policy must describe the approach to continuity, and your ISMS must ensure plans are maintained and tested.

Regardless of which regulations you are subject to, the message is the same: you must be able to restore your systems, and you must be able to prove it through documentation and testing.

Frequently Asked Questions about Disaster Recovery

What is the difference between disaster recovery and a business continuity plan?

Disaster recovery focuses specifically on restoring IT systems and data after an incident. A business continuity plan (BCP) is broader and covers the entire organisation's ability to maintain operations, including business processes, communication and personnel.

What are RTO and RPO?

RTO (Recovery Time Objective) is the maximum time it may take to restore a system after an incident. RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time, i.e. how far back your most recent usable backup may be.

How often should a disaster recovery plan be tested?

At least once a year and after significant changes to the IT infrastructure. Critical systems should be tested more frequently. DORA and NIS2 set explicit requirements for regular testing of continuity plans.

Does GDPR require a disaster recovery plan?

GDPR Article 32 requires the ability to restore the availability of personal data in a timely manner following an incident. A disaster recovery plan is the most effective way to meet this requirement.