Continuity planning works to provide procedures to be used when a catastrophic event occurs that affects the security and/or integrity of information. Information security efforts must thwart data threats of all types, including intentional, accidental and natural. Critical data may be loss due to attack, inadvertent deletion, hardware failure, and a myriad of other ways.
Many security risks exist outside the organization. Such risks must be considered in the development of a business continuity plan (BCP). The largest, most obvious risks are natural disasters such as earthquakes, floods, hurricanes and fire. Such events can create overwhelming circumstances and are usually unavoidable and uncontrollable. BCP’s must include off-site data backups for this reason. If a single server, or the entire building were to be destroyed, the data must be kept in off-site in a secure location.
Other external risks include power service failure, telecom service failure and physical security threats. While these events may not be considered catastrophic, they should be considered in a BCP and rapid recovering or secondary services must be considered. Some examples may include uninterruptible power supply (UPS) systems or redundant WAN services.
Other non-natural events have recently come to the forefront. Acts of terrorism (directly causing physical damage) and non-physical threats such as viruses, must also be considered.
A good point raised here. Even I’m not convinced with on the popular definition that you quoted above saying DRP is only for IT! I have the following difference of opinion on the thoughts noted above:
A) If the organization (after the fire has completely impacted one office) kicks in Emergency response and then start operating from a different office, this is not real continuity, according to me. This is still a recovery. In fact Immediate recovery Option is Real Continuity (again according to me) is when the minimal vital business function can continue (without interruption) even in the occurence of such an event. For example, if the vital business functions are distributed in two different locations instead of concentrating in a single location at least a part of the businss will continue from the other location, when the disaster occurs in one of the location.
B) DRP should encompass the recovery during a disaster situation (like start operations on a mirror site, like you mentioned above) as well as the plan to come back to normal condition, post the disaster scenario.
C) If I go with point B, then Emergency response plan is a subset of your Disaster Recovery Plan. So,as per me, overall BCP = Plan for continuing Vital business functions (if exists) + DRPHere DRP = ERP+ Recovery plan + Restoration planThe terms used above are just for explanation purpose. I am not sure about their authenticity.