ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 22301: An overview of BCM implementation process

    

Wednesday
September 10, 2014

    Register_now_green
    
 
 
 

Disaster recovery site – What is the ideal distance from primary site?

'By 'Dejan Kosutic on November 19, 2012

The alternative site for your data center must be 50 miles away from the primary site. No, make that 100 miles… or is it 200 miles? Or perhaps kilometers? Well, none of this is correct – the truth is, there is no one-size-fits-all answer to this question.

Regulations and standards

Let me start with an example here – in 2002 and 2003, U.S. federal regulators had planned to require financial institutions to move their disaster recovery centers 200 or 300 miles away from primary sites. However, this initiative had failed not only because the banks have strongly opposed such regulation, but also because it has proved to be quite unfeasible.

The situation in the majority of other countries is similar. Of course, I’m not familiar with every regulation in the world, but from those I read, I didn’t find any with a precise definition. (If I’m wrong, feel free to add such regulations in the comments below.) Most of the regulations that deal with this matter do, however, say there must be a disaster recovery site at a “safe distance.”

Regarding standards, the situation is similar – neither ISO 22301 (new international business continuity standard), nor BS 25999-2 (its predecessor), or any of the standards from NIST SP 800 or ISO 27k series are precise about it.

Risk assessment

So, the decision is obviously left to the companies themselves – and such decisions cannot be made based on someone’s feeling, but on a study. In this case, a study is called “risk assessment,” and its purpose is to take into account all the relevant factors.

Here are the factors that tend to push the location further away:

  • Earthquakes – if your location is in a seismic-sensitive area
  • Floods – you should position an alternative site out of the same flood plain
  • Tsunamis – you shouldn’t place both primary and secondary location on the coast of an ocean
  • Other natural disasters – e.g. forest fires, tornados/hurricanes, volcanos – if your primary site is close to such areas, the disaster recovery site should be further away
  • Large industrial facilities, nuclear power plants, or military installations – again, at least one of your locations should be at a safe distance
  • Dependence on the same source of electrical power – you should look for locations on a different power grid
  • Even if your risk assessment proves none of the above are applicable to you, take into account risks like pandemic diseases – in such cases, authorities will likely close the whole metropolitan area

However, there are some factors that force you to position a disaster recovery location as close as possible:

  • Telecommunication links – the further the sites are away, the more difficult it becomes (i.e. more costly) to replicate the data between these sites
  • If your employees are expected to travel to an alternative site in case of disaster – they have to be able to make it within the RTO (Recovery Time Objective); besides, the road between the sites shouldn’t be full of bridges and tunnels.

Main problems – small countries and small budgets

From the position of United States (or for that matter, Canada), the distance of few hundred miles is never a problem; imagine now you are a company in a European country with the geographical size of the Los Angeles metropolitan area, and the population of one city block in L.A. In such situations, the easiest solution would be to position a disaster recovery site in a neighboring country with compatible laws and regulations.

The main problem is usually the cost – building such a site and maintaining it costs far more than just an ordinary office building. This is why you could rent such a space for your alternative data center site from companies specialized in disaster recovery services. Or, there is a cloud computing option, but this is a completely different story…

To conclude, to mitigate most of the risks I would suggest you place a disaster recovery location somewhere between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location. But again, please do your risk assessment first.

Click here to see a template of Business Continuity Strategy that will help you with making decisions about disaster recovery locations (commercially sold template) .