Glossary

What is Disaster Recovery?

What is Disaster Recovery?

Disaster recovery (DR) is the set of policies, tools, and procedures designed to restore IT infrastructure, systems, and data following a disruptive event. While business continuity addresses the broad ability to maintain operations, disaster recovery focuses specifically on the technology layer — getting systems back online and data restored after an incident.

Key concepts

Recovery Time Objective (RTO) — the maximum acceptable amount of time that a system or application can be down after a disaster before the business impact becomes unacceptable. An RTO of 4 hours means the system must be restored within 4 hours.

Recovery Point Objective (RPO) — the maximum acceptable amount of data loss measured in time. An RPO of 1 hour means the organization can tolerate losing up to 1 hour of data, so backups must occur at least every hour.

Recovery Level Objective (RLO) — the minimum level of service or functionality that must be restored. Not all features of a system may need to be available immediately.

Disaster recovery strategies

DR strategies vary in cost, complexity, and recovery speed:

  • Backup and restore — the simplest approach: maintain regular backups and restore them to new or repaired infrastructure when needed. Lowest cost but highest RTO.
  • Pilot light — maintain a minimal version of the production environment in a secondary location that can be scaled up quickly during a disaster.
  • Warm standby — run a scaled-down but fully functional copy of the production environment that can be scaled to full capacity during failover.
  • Hot standby / active-active — run full production environments in multiple locations simultaneously. Provides near-zero RTO but at the highest cost.

The right strategy depends on the business's RTO and RPO requirements and budget.

Components of a disaster recovery plan

A comprehensive DR plan includes:

  • Scope — which systems and applications are covered
  • RTO and RPO targets — recovery objectives for each system
  • Roles and responsibilities — who is responsible for each aspect of recovery
  • Recovery procedures — step-by-step instructions for restoring each system
  • Communication plan — how to notify stakeholders during a disaster
  • Vendor contacts — contact information for infrastructure and service providers
  • Dependencies — system interdependencies that affect recovery sequence
  • Testing schedule — how and when the plan will be tested

Backup management

Backups are the foundation of disaster recovery. Best practices include:

  • 3-2-1 rule — maintain 3 copies of data, on 2 different types of media, with 1 copy offsite
  • Automated backups — schedule backups to run automatically at intervals aligned with RPO
  • Encryption — encrypt backups to protect data at rest
  • Regular testing — periodically restore from backups to verify they work
  • Monitoring — monitor backup jobs for failures and address issues immediately
  • Immutable backups — protect backups from ransomware by using immutable storage

Disaster recovery in compliance frameworks

  • ISO 27001 — control A.5.30 addresses ICT readiness for business continuity, including DR planning and testing
  • NIST CSF — RC.RP (Recovery Planning) addresses establishing and testing recovery processes
  • SOC 2 — the Availability criterion covers system recovery capabilities
  • PCI DSS — while not explicitly requiring a DR plan, requirements around data protection and system availability support DR practices

Testing the DR plan

DR testing is essential and should include:

  • Backup restoration tests — regularly restore data from backups to verify integrity
  • Failover tests — practice switching to secondary systems
  • Full DR tests — simulate a complete disaster and execute the full recovery plan
  • Tabletop exercises — walk through DR scenarios with the team

Testing should occur at least annually, with backup restoration tests performed more frequently.

How episki helps

episki tracks disaster recovery plans, backup schedules, test results, and recovery objectives. The platform sends reminders for DR testing, documents test outcomes, and maintains evidence for compliance auditors. Learn more on our compliance platform.

Related frameworks

iso27001nistcsf

Related terms

business-continuityincident-responserisk-registerencryption

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo