Disaster Recovery Plan
Hope for the Best, Prepare for the Worst
Regardless of your organisation, sector, or industry, you always face the possibility of disruption. From technical failures, cyber-attacks, and even unforeseen global events, being prepared is an essential element of protecting your organisation.
Helping to minimise response time, mitigate losses and advantage you against your competition, a disaster recovery plan can mean the difference between an unfortunate incident and an existential obstacle, and should be thought of as a form of necessary insurance.
What is a Disaster Recovery Plan?
Consisting of policies and procedures that give your organisation a plan to follow when systems are disrupted, having a disaster recovery plan should allow your organisation to restart and resume processes as soon as possible, either by restoring disrupted services or by pivoting to a contingency system.
Step for Writing a Disaster Recovery Plan
There are plenty of different ways of going about writing a disaster recovery plan, with many generic template documents available across the web, but as with individual elements of the operations of your organisation, your disaster recovery plan should be tailored specifically to your needs.
Step One – Personnel
Beginning with establishing the support and commitment of higher management in developing a disaster recovery plan, management should be responsible for coordinating these efforts. Allocating adequate time and resources, in terms of financial considerations and the individuals involved.
Appointing a planning committee should also be a part of this first step, as a planning committee should include members from all areas of an organisation, providing a broad and comprehensive understanding of operations, as well as being able to define the scope of the plan.
Step Two – Risk Assessment
Beginning with performing a risk assessment and business impact analysis (BIA), the planning committee must examine a wide range of possible disasters, including natural, technical and human-based threats.
Establishing and identifying the possible threats that face your organisation, likelihood of them occurring, and their potential consequences and impact, this stage of risk assessment requires an analysis of each functional area of an organisation.
From the loss of important documents or information to absolute worst-case scenarios, such as the destruction of a main building, the planning committee needs to consider which threats pose the greatest possibility of damage, as well as their financial implications.
Step Three – Establishing Priorities
Evaluating amongst other critical systems, key personnel, processing systems, documentation, information and operations, each department within an organisation should analyse the maximum amount of time that any area can operate without these elements.
With ‘critical’ being defined as necessities for continued operation, a method of determining critical systems requires the functions of each department to be first documented, then ranked in order of priority, from essential, important, and non-essential.
Step Four – Researching Recovery Strategies
Taking the time to research and evaluate possible strategies, this stage should be about board strokes and considering various options specific to your operations.
From the costs of testing and implementing technical redundancies, to the security procedures necessary for aspects of your organisation, such as hardware or communications, this stage of writing your disaster recovery plan should be about understanding your options.
Step Five – Collecting Data
Before any strategies can be set in stone, you should first collect information regarding the processes needed for each department to operate in the event of each identified possible disruption.
This may include contact information for power providers, lists of key members of staff, data breach notification checklists, insurance policies and inventories of equipment, office supplies and hardware. All the information needed for documents the specifics of your disaster recovery plan.
Step Six – Organise and Document a Written Plan
With the approval of top management, this step of documenting your disaster recovery plan first requires establishing an outline of the plan’s contents; helping to organise detailed procedures, identify major steps before writing begins, identify redundant procedures, and provide a road map for developing said procedures.
With all the necessary information compiled, the process of writing your plan can begin. Assigning the specific roles and responsibilities of key individuals, and all detailed procedures to be used before, during and after a disaster, a disaster recovery plan should also be written in a way in which that easily allows continuous review.
Step Seven – Testing
With your disaster recovery plan now written, it is time to firstly establish your procedures for testing. It is vital that a plan be thoroughly tested on a regular basis, so procedures for this process need to be clearly defined and documented. Once this process is established, the task of testing your disaster recovery plan can begin.
Completed in sections, and usually conducted at a time that will result in minimal disruption to usual operations, testing is essential to discovering and addressing any problems or issues with elements of your disaster recovery plan.
Step Eight – Approval
With your disaster recovery plan written and tested, the final step in this process will be submitting the plan to top management for approval, as it is them that are ultimately responsible for all policies and procedures within your organisation.
Though threats and disasters can come in many forms, building a disaster recovery plan is about strategically assessing what needs to be anticipated and the steps necessary to insulate your organisation from minor incidents becoming genuine disasters.
Most importantly, while these eight steps lay out a process for writing a disaster recovery plan, preparing for disruption is an on-going effort, requiring regular reviews, updates and reassessments. As the threat landscape inevitably continues to change and evolve, it is ultimately up to you and your organisation to be ready to face whatever challenges come your way.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.
Information Security Awareness Training and ISO 27001 blog by information security awareness training provider Hut Six Security
Information Security Resolutions for the New Year: Part Two. Information security for 2021 blog post by Hut Six Security.
Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.
ISO 27001 vs SOC 2 Certifications - what's the difference? SOC 2 is a type of audit report focusing on security controls. ISO27001 is a compliance standard focused on high level information security.
The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy