Disaster recovery plan checklist: Identifying weak points in your plan

Use our checklist to evaluate and find any weaknesses in your disaster recovery plan.

What you will learn in this tip: When evaluating a disaster recovery (DR) plan, deficiencies can occur in numerous places. In this tip, we’ll provide you with a disaster recovery checklist to help you spot any weaknesses in your plan. 

Most of today’s disaster recovery and business continuity standards feature a well-defined framework for business continuity/disaster recovery programs and plans. Following this framework doesn’t mean that your plan will save your business when a disaster occurs, but at least you can be assured that you have covered all the relevant bases. The following checklist will help you improve—and identify deficiencies in—your disaster recovery plan.

General disaster recovery plan checklist

  •   Is there a clearly defined, documented and approved management process to manage a DR program?
  •   Are any standards incorporated into the program?
  •   Does the organization’s program have a program management process?
  •   Does the program comply with regulatory, legal and the corporate policies and principles?
  •   Are qualified professionals involved in implementing the program?
  •   Have accountability and responsibilities for program staff been clearly defined and documented?
  •   Has competence (and crisis management) been demonstrated through exercises, tests or plan activations?
  •   Is the program included in the annual budgeting process?
  •   Do the program and associated plans focus on the organization’s mission-critical activities?
  •   Do the program suppliers (internal and/or outsourced providers) have up-to-date and tested plans?
  •   Does the program use IT assets to monitor and report on status within the organization?
  •   Are senior management roles in a disaster clearly defined, approved and documented?
  •   Have team roles and responsibilities been clearly defined, approved and documented?
  •   Has each role been assigned to a primary and alternate individual, both trained accordingly?
  •   Does the plan contain instructions, procedures and/or guidelines on casualties and fatalities?
  •   Does the plan contain instructions, procedures and/or guidelines on staff counseling and welfare, e.g., dealing with families, personal belongings, travel and possible relocation?
  •   Does the plan task list link mandatory and discretionary tasks with the individuals assigned to them?
  •   Does the plan have an auditable process for tracking and recording the completion of tasks after the plan has been activated, as well as any on-going tasks?
  •   Does the plan have current (internal and external) contact lists?
  •   Does the plan include a list of key service providers and suppliers?
  •   Does the plan include a list of emergency first responders, e.g., police, fire, EMT?
  •   Does the plan provide a checklist for situation management and decision-making?

Disaster recovery policy checklist

  •   Is there a clearly defined, documented and approved DR policy?
  •   Does the policy support corporate governance and satisfy legal and regulatory obligations?
  •   Does the policy provide clearly defined, documented and approved guidelines and performance standards?
  •   Does the policy require an audit process to evaluate capabilities and plans?
  •   Does the policy require verification and validation of supplier capabilities (internal and external)?
  •   Does the program have clearly defined, documented and approved key performance indicators (KPIs)?
  •   Is the program monitored, reviewed and evaluated in terms of KPIs?

Business impact analysis and risk assessment checklist

  •   Does the organization have a clearly defined and documented business impact analysis (BIA) process?
  •   Were current BIAs completed within the last 12 months?
  •   Are the RTOs and RPOs for mission critical systems identified?
  •   Are BIAs carried out as part of all project and change management activities?
  •   Does the organization have a clearly defined and documented risk assessment process?
  •   Were current risk assessments completed within the last 12 months?
  •   Are the risks and vulnerabilities for mission critical systems identified?
  •   Are risk assessments carried out as part of all project and change management activities?

Disaster recovery strategy checklist

  •   Is there a clearly defined, documented and approved overall strategy?
  •   Is there a clearly defined, documented and approved process-level strategy?
  •   Is there a clearly defined, documented and approved resource recovery strategy?
  •   Are all strategies aligned with and support the organization’s business?
  •   Does the organization have a clearly defined, documented and approved framework?
  •   Are roles, responsibilities and authorities identified within the organization?
  •   Have both technical (e.g., IT, telecoms) and non-technical (e.g., people) issues been considered for strategies?
  •   Is internal and external sourcing of products and services part of strategies?
  •   Is there a clearly defined, documented and approved planning framework?
  •   Does planning coordinate with other parts of the organization e.g., office locations, production sites?
  •   Are plan templates and sample plans available to support the planning process?

General IT disaster recovery checklist

  •   Are there plans for all mission-critical IT systems, platforms, applications, data and networks?
  •   Do plans reflect the most current BIAs and risk assessments?
  •   Does the plan establish a clear response (invocation, resumption and recovery) that progresses from business disruption to resumption of normal business operations?
  •   Does the plan have clearly defined and current notification, invocation and escalation processes?
  •   Have notification, invocation and escalation processes been exercised in the past 12 months?
  •   Has a liaison for communications with emergency services and first responders been assigned?
  •   Has a liaison for communications with the media been assigned?
  •   Does the plan define how to deal with the media and the public during a disaster?
  •   Has a liaison with government and regulatory agencies been assigned?
  •   Does the plan define how to interface with first responders, utility companies and other infrastructure and public authorities?
  •   Does the plan establish a command center to coordinate response and recovery activities?
  •   Does the plan define how to set up alternate work areas in case of the loss of the primary work site?
  •   Does the plan define how to recover IT systems, hardware, applications, data and networks post-disaster?
  •   Does the plan define how to recover security for IT systems, hardware, applications, data and networks?
  •   Does the plan define the process of re-establishing IT operations following a disaster?
  •   Does the plan define the process of re-establishing business processes following a disaster?
  •   Does the plan define how to recover IT-based links to employees, vendors, clients, and other stakeholders?
  •   Does the plan define primary and alternate suppliers of IT components?
  •   Does the plan define how to recover electrical power and utilities to IT operations following a disaster?

Disaster recovery program considerations

  •   Does the program/plan include awareness, training and cultural development activities?
  •   Is there a formal awareness program for all new and existing managers and staff?
  •   Do senior managers clearly support the program and its policies?
  •   Are roles, accountabilities, responsibilities and authorities clearly defined and documented within job descriptions at all levels of the organization?
  •   Is part of the organization’s reward and recognition system?
  •   Is integrated with the organization’s performance management and appraisal system?
  •   Is an integral part of the corporate change management process?
  •   Is an integral part of the corporate project management process?
  •   Is there a clearly defined, documented and approved DR exercise policy/program?
  •   Does the exercise program support various exercise techniques?
  •   Are desktop walkthrough exercises conducted, at least annually?
  •   Are other live exercises, involving the shutdown of systems, conducted at least annually?
  •   Are exercises developed using qualified practitioners to execute them?
  •   Are there clearly defined, documented and approved exercise guidelines?
  •   Are there clearly defined, documented and approved post-exercise evaluation and reporting processes?
  •   Are plans updated based on exercise results?
  •   Is there a clearly defined, documented and approved maintenance program?
  •   Does the maintenance program address all IT disaster recovery activities?
  •   Does the maintenance program address all IT suppliers, e.g., service-level agreements?
  •   Are non-compliant maintenance issues escalated to ensure they are made compliant?
  •   Does the maintenance process provide a clearly defined, documented and approved process for ensuring that all changes to strategy and/or plans are reflected in exercising, training and awareness programs?
  •   Are plans audited at least annually, if not more frequently?
  •   Is there a clearly defined, documented and approved audit cycle and program?
  •   If external auditors are needed, doe the plan provide a list of qualified auditors?
  •   Is an audit report produced after each audit?
  •   Is there a process for continuous improvement of the overall program?

This tip has provided a comprehensive set of and disaster recovery plan checklists to help you develop the best possible plans. But even lists as detailed as these cannot address all possible DR issues, so be sure to include careful planning and review by your program team, management and qualified professionals to help ensure that you have covered all the bases. 

About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at pkirvan@msn.com.

This was first published in August 2011

Dig deeper on Disaster Recovery Planning-Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDataBackup

SearchStorage

Close