IT disaster recovery (DR) plan template: A free download and sample plan

IT disaster recovery plans provide step-by-step procedures for recovering disrupted systems and networks, and help them resume normal operations. The goal of these processes is to minimize any negative impacts to company operations. The IT disaster recovery process identifies critical IT systems and networks; prioritizes their recovery time objective; and delineates the steps needed to restart, reconfigure, and recover them. A comprehensive IT DR plan also includes all the relevant supplier contacts, sources of expertise for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery.

Assuming you have completed a risk assessment and have identified potential threats to your IT infrastructure, the next step is to determine which infrastructure elements are most important to the performance of your company's business. Also assuming that all IT systems and networks are performing normally, your firm ought to be fully viable, competitive and financially solid. When an incident -- internal or external -- negatively affects the IT infrastructure, the business could be compromised.

Step-by-step IT DR plan development

Using the structure noted in SP 800-34, we can expand those activities into the following structured sequence of activities.

1. The plan development team should meet with the internal technology team, application team, and network administrator(s) and establish the scope of the activity, e.g., internal elements, external assets, third-party resources, linkages to other offices/clients/vendors; be sure to brief IT department senior management on these meetings so they are properly informed.
2. Gather all relevant network infrastructure documents, e.g., network diagrams, equipment configurations, databases.
3. Obtain copies of existing IT and network DR plans; if these do not exist, proceed with the following steps.
4. Identify what management perceives as the most serious threats to the IT infrastructure, e.g., fire, human error, loss of power, system failure.
5. Identify what management perceives as the most serious vulnerabilities to the infrastructure, e.g., lack of backup power, out-of-date copies of databases.
6. Review previous history of outages and disruptions, and how the firm handled them.
7. Identify what management perceives as the most critical IT assets, e.g., call center, server farms, Internet access.
8. Determine the maximum outage time management can accept if the identified IT assets are unavailable.
9. Identify the operational procedures currently used to respond to critical outages.
10. Determine when these procedures were last tested to validate their appropriateness.
11. Identify emergency response team(s) for all critical IT infrastructure disruptions; determine their level of training with critical systems, especially in emergencies.
12. Identify vendor emergency response capabilities; if they have ever been used; if they were did they work properly; how much the company is paying for these services; status of service contract; presence of service-level agreement (SLA) and if it is used.
13. Compile results from all assessments into a gap analysis report that identifies what is currently done versus what ought to be done, with recommendations as to how to achieve the required level of preparedness, and estimated investment required.
14. Have management review the report and agree on recommended actions.
15. Prepare IT disaster recovery plan(s) to address critical IT systems and networks.
16. Conduct tests of plans and system recovery assets to validate their operation.
17. Update DR plan documentation to reflect changes.
18. Schedule next review/audit of IT disaster recovery capabilities.
    (Source: NIST SP 800-34)

Important IT disaster recovery planning considerations

Reviewing the IT disaster recovery plan template

Next, we'll examine the table of contents from the template, indicating key issues to address and activities to perform.

1. Information Technology Statement of Intent -- This sets the stage and direction for the plan.
2. Policy Statement -- Very important to include an approved statement of policy regarding the provision of disaster recovery services.
3. Objectives -- Main goals of the plan.
4. Key Personnel Contact Information -- Very important to have key contact data near the front of the plan. It's the information most likely to be used right away, and should be easy to locate.
5. Plan Overview -- Describes basic aspects of the plan, such as updating.
6. Emergency Response -- Describes what needs to be done immediately following the onset of an incident.
7. Disaster Recovery Team -- Members and contact information of the DR team.
8. Emergency Alert, Escalation and DRP Activation -- Steps to take through the early phase of the incident, leading to activation of the DR plan.
9. Media -- Tips for dealing with the media.
10. Insurance -- Summarizes the insurance coverage associated with the IT environment and any other relevant policies.
11. Financial and Legal Issues -- Actions to take for dealing with financial and legal issues.
12. DRP Exercising -- Underscores the importance of DR plan exercising.
13. Appendix A -- Technology Disaster Recovery Plan Templates -- Sample templates for a variety of technology recoveries; useful to have technical documentation available from select vendors.
14. Appendix B -- Suggested Forms -- Ready-to-use forms that will help facilitate the plan completion.