Accept the risk

My Organisation would like to go for ISO-27001 Certification for its Data Center.Various Applications (All Application belongs to Single client) are hosted some of them Critical and some of them not.All Applications hosted in Datacenter does not have DR.
Some of hosted Applications in Datacenter is critical and it affects their operations part.Due to lack of finance,DR is not operational.It will be operational but will take more time.
So Can I proceed for ISO-27001 Certification right now even when i dont have DR for all application hosted in Data Center???Is there any mandatory requirement of having DR in place.
What about If my client is ready to accept the risk regarding unavailability of application for few hours or even days??
 

Answer:

The right way is this: You need to perform the risk assessment & treatment, and the first thing that you need is to calculate the risks related to the applications (or to the all Data Center). If after this, the risk is above of the acceptable level, you can:

Reduce the risk (applying security c ontrols)
Accept the risk
Avoid the risk
Transfer the risk

So, in your case, I think that the best is to accept the risk, this means that you know the risks, but due to lack of budget you cannot reduce it. But in this case, it is very important that the top management knows and approve the situation. On this way, you could certify the ISO 27001 in your organization.
Anyway, I think that the best, if you can, is that you implement a DR in some applications, as minimal in the critical applications, on this way you could recover a part of the IT infrastructure.
For more information about the risk assessment & treatment, please read this article “Risk Treatment Plan and risk treatment process – What’s the difference?” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment