What Is a Disaster Recovery Plan and What Should It Include?

Professional Man and Woman at Whiteboard

What is a Disaster Recovery Plan (DRP)?

A disaster recovery plan (DRP) is a document that focuses specifically on the processes involved in the recovery of data and technological operations, often at an alternate site or facility, in the case of a major software or hardware failure or the destruction of facilities (such as in the event of a natural disaster or fire).

The DRP should drill down into the specifics of recovering and restoring all that data which is crucial to your organisation and business operations, regardless of the magnitude of the disaster.

In order to craft a suitable disaster recovery plan for your organisation, and minimise downtime and potential financial or productivity losses, it’s essential to understand the core components required.

What Should a Disaster Recovery Plan Include?

A Definition of Disaster

A clearly defined checklist of attributes for a disaster should be included in your DRP. While in the main this will be clear (through natural disasters, the loss of access to a data centre etc.), this preliminary step is worthwhile to clear up any potential guesswork. In addition, by explicitly naming what constitutes a disaster for your business specifically, organisations are forced to consider the potential vulnerabilities of their essential assets and any necessary back up mechanisms not yet employed.

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Both of these objectives should be included within your DRP. They describe:

RTO: The maximum time tolerable for your organisation to recover and resume standard operations in the case of a disaster. This will be different for all organisations but should be decided and clearly noted.

RPO: The maximum level, or quantity, of data that your organisation can afford to lose in the event of a disaster. As above, this will differ from business to business, but may range from an hour’s worth of data to a day’s worth of data and so on.

Two People At A Desk Scanning a Contract Document

An Inventory of Hardware and Software

For the plan to constitute an effective method of recovery, it should contain a comprehensive inventory of all IT assets. In order to keep your DRP current, be sure to update this list regularly.

It is often useful for businesses to break down their IT inventory into Critical Assets (necessary for business operations), Important Applications (without which normal operations will be disrupted) and Unimportant Applications (which are used less frequently) in order to establish a hierarchy of priority when considering how to approach disaster recovery.

Identification of Sensitive Data

Whether in the form of personal or customer data, financial records or intellectual property, all businesses hold sensitive data to some degree. For many businesses, this data is also likely to be subject to compliance obligations. In this instance, those obligations may stipulate how such data should be handled and recovered in the case of a disaster. However, even if this is not the case, by identifying where sensitive data is stored, along with associated back-ups, it can be appropriately prioritised within your DR plan.

Defined Personnel Roles

One key aim of a DRP is to ensure that all of the appropriate team members are accounted for and aware of their responsibilities in the face of a defined disaster. The plan should outline which staff members are responsible for the DR procedure, along with their contact information (this is particularly useful in contemporary organisations where remote working is likely).

Consider that aside from technical and IT operational teams, it is likely that other departments will be required to handle the less commonly considered elements of disaster recovery including communications, HR, and legal.

Drafting Documents

Disaster Recovery Sites and Requirements

In order to properly respond to a disaster it must be clear ahead of time exactly where all assets are located, as well as where these will be moved to if necessary. These sites can be split into three varieties according to their readiness to be made live: A Hot Site (an already-functional site with necessary equipment for operations to continue as normal), A Warm Site (an already-functional site to continue the use of only critical systems, note that data within a warm site may not be “live” and up to date), and a Cold Site (primarily used for backups without the ability to operate from the off).

When considering which sites will be called upon in the case of a disaster, take the time to identify the requirements your organisation will have for these locations. This might be physical space to work, personnel, specific equipment, or operational tools.

Outlined Disaster Response Procedures

When disaster strikes, time is of the essence. All staff concerned should know exactly what to do, when to do it, and in what order, to minimise potential damage, data loss and down time. The procedures of a DRP will look different for every organisation in order to align with priorities and individual assets and systems, but clear action steps should be outlined at this stage to ensure response efforts can be carried out as soon as it is safe to do so, and normal operations can resume with minimal interruptions to business.

A Communication Policy

Throughout a disaster and in its immediate and continued aftermath, proper communication is vital. This may be internal, external, or a combination of the two. Ensure it is agreed in the preparation stage: which details of a disaster incident will be reported, to whom, by whom, and in what order. Should a disaster cause significant impact on operations or held data, or impact the public or customers, the press may need to be altered. Be aware of this and brief the relevant teams within your organisation to prepare for a prompt turnaround on communications.

By completing the above steps an organisation should hopefully be able to craft a disaster recovery plan suitable for the majority of eventualities. However, it’s essential that a DRP is not created in a vacuum and then disregarded until such a time that it is needed. Updates should be made to the DRP as and when is necessary (once a year at an absolute minimum), and to cement preparedness drills are an excellent way to shine a light on potential gaps in a plan and collect learnings for future updates.

Explore Our Professional Cyber Security Services

You may also be interested in these articles:



Contact Us