Why isn't disaster recovery and business continuity included in the dozen security processes?
Disaster recovery and business continuity (DR/BC) is generally included in the theoretical information security agenda. It is a core domain in the CISSP body of knowledge. For many organizations, though, DR/BC is actually handled outside of the information security department. Typically, the information security team is focused on controlling risk due to malicious adversaries: worms, hackers, etc., and the skill set of a typical information security team reflects this focus.
IT business continuity teams have a different set of skills. They are first and foremost focused on getting the necessary IT infrastructure up and running as quickly as possible after a disaster. Information security has a role to play here, without a doubt, but it is often not a role in the driver's seat. Because of this, I don't include it in the twelve security processes.
Plus, have thirteen security processes seems to be just asking for trouble.