Hello, I am having a hard time understanding the difference between BCP and DR. I know for our ISO cert we have to include a.17.4.6 right? That is the Disaster Recovery Plan, but our certifier is saying we do not have to complete the Business Continuity Plan, which is the rest of a.17, why is that?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
BCP is wider than a DR. BCP aims to ensure the business continues to operate after a disruptive event, while the DR aims to handle the impacts at the affected area and bring operations back to normal conditions.
ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a full Business Continuity Plan is not mandatory for this standard, and you will only need the DR template included in your toolkit.
These articles will provide you further explanation about BCPs and DRPs:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
Comment as guest or Sign in
Apr 22, 2020