Disaster Recovery Plan Checklist

By Paul Kirvan, CISA, Hon FBCI

General disaster recovery plan checklist

Planning Criteria

Yes

Comments

□

Is there a clearly defined, documented and approved

management process to manage a DR program?

□

Are any standards incorporated into the program?

□

Does the organization’s program have a program

management process?

□

Does the program comply with regulatory, legal and the

corporate policies and principles?

□

Are qualified professionals involved in implementing the

program?

□

Have accountability and responsibilities for program staff

been clearly defined and documented?

□

Has competence (and crisis management) been

demonstrated through exercises, tests or plan activations?

□

Is the program included in the annual budgeting process?

□

Do the program and associated plans focus on the

organization’s mission-critical activities?

□

Do the program suppliers (internal and/or outsourced

providers) have up-to-date and tested plans?

□

Does the program use IT assets to monitor and report on

status within the organization?

□

Are senior management roles in a disaster clearly defined,

approved and documented?

□

Have team roles and responsibilities been clearly defined,

approved and documented?

□

Has each role been assigned to a primary and alternate

individual, both trained accordingly?

□

Does the plan contain instructions, procedures and/or

guidelines on casualties and fatalities?

□

Does the plan contain instructions, procedures and/or

guidelines on staff counseling and welfare, e.g., dealing

with families, personal belongings, travel and possible

relocation?

□

Does the plan task list link mandatory and discretionary

tasks with the individuals assigned to them?

□

Does the plan have an auditable process for tracking and

recording the completion of tasks after the plan has been

activated, as well as any on-going tasks?

□

Does the plan have current (internal and external) contact

lists?

□

Does the plan include a list of key service providers and

suppliers?

□

Does the plan include a list of emergency responders, e.g.,

police, fire, EMT?

□

Does the plan provide a checklist for situation

management and decision-making?

Disaster recovery policy checklist

Planning Criteria

Yes

Comments

□

Is there a clearly defined, documented and approved DR

policy?

□

Does the policy support corporate governance and satisfy

legal and regulatory obligations?

□

Does the policy provide clearly defined, documented and

approved guidelines and performance standards?

□

Does the policy require an audit process to evaluate

capabilities and plans?

□

Does the policy require verification and validation of

supplier capabilities (internal and external)?

□

Does the program have clearly defined, documented and

approved key performance indicators (KPIs)?

□

Is the program monitored, reviewed and evaluated in

terms of KPIs?

Business impact analysis and risk assessment checklist

Planning Criteria

Yes

Comments

□

Does the organization have a clearly defined and

documented business impact analysis (BIA) process?

□

Were current BIAs completed within the last 12 months?

□

Are the RTOs and RPOs for mission critical systems

identified?

□

Are BIAs carried out as part of all project and change

management activities?

□

Does the organization have a clearly defined and

documented risk assessment process?

□

Were current risk assessments completed within the last

12 months?

□

Are the risks and vulnerabilities for mission critical systems

identified?

□

Are risk assessments carried out as part of all project and

change management activities?

Disaster recovery strategy checklist

Planning Criteria

Yes

Comments

□

Is there a clearly defined, documented and approved

overall strategy?

□

Is there a clearly defined, documented and approved

process-level strategy?

□

Is there a clearly defined, documented and approved

resource recovery strategy?

□

Are all strategies aligned with and support the

organization’s business?

□

Does the organization have a clearly defined, documented

and approved framework?

□

Are roles, responsibilities and authorities identified within

the organization?

□

Have both technical (e.g., IT, telecoms) and non-technical

(e.g., people) issues been considered for strategies?

Planning Criteria

Yes

Comments

□

Is internal and external sourcing of products and services

part of strategies?

□

Is there a clearly defined, documented and approved

framework?

□

Does coordinate with other parts of the organization e.g.,

office locations, production sites?

□

Are templates and sample plans available to support the

process?

General IT disaster recovery checklist

Planning Criteria

Yes

Comments

□

Are there plans for all mission-critical IT systems,

platforms, applications, data and networks?

□

Do plans reflect the most current BIAs and risk

assessments?

□

Does the plan establish a clear response (invocation,

resumption and recovery) that progresses from business

disruption to resumption of normal business operations?

□

Does the plan have clearly defined and current

notification, invocation and escalation processes?

□

Have notification, invocation and escalation processes

been exercised in the past 12 months?

□

Has a liaison for communications with emergency services

and responders been assigned?

□

Has a liaison for communications with the media been

assigned?

□

Does the define how to deal with the media and the public

during a disaster?

□

Has a liaison with government and regulatory agencies

been assigned?

□

Does the define how to interface with responders, utility

companies and other infrastructure and public authorities?

□

Does the plan establish a command center to coordinate

response and recovery activities?

□

Does the plan define how to set up alternate work areas in

case of the loss of the primary work site?

□

Does the plan define how to recover IT systems, hardware,

applications, data and networks post-disaster?

□

Does the plan define the process of re-establishing IT

operations following a disaster?

□

Does the plan define the process of re-establishing

business processes following a disaster?

□

Does the plan define how to recover IT-based links to

employees, vendors, clients, and other stakeholders?

□

Does the plan define primary and alternate suppliers of IT

components?

□

Does the plan define how to recover electrical power and

utilities to IT operations following a disaster?

Disaster recovery program considerations

Planning Criteria

Yes

Comments

□

Does the program/ plan include awareness, training and

cultural development activities?

□

Is there a formal awareness program for all and existing

managers and staff?

□

Do senior managers clearly support the program and its

policies?

□

Are roles, accountabilities, responsibilities and authorities

clearly defined and documented within job descriptions at

all levels of the organization?

□

Is part of the organization’s reward and recognition

system?

□

Is integrated with the organization’s performance

management and appraisal system?

□

Is an integral part of the corporate change management

process?

□

Is an integral part of the corporate project management

process?

□

Is there a clearly defined, documented and approved DR

exercise policy/program?

□

Does the exercise program support various exercise

techniques?

□

Are desktop walkthrough exercises conducted, at least

annually?

□

Are other live exercises, involving the shutdown of

systems, conducted at least annually?

□

Are exercises developed using qualified practitioners to

execute them?

□

Are there clearly defined, documented and approved

exercise guidelines?

□

Are there clearly defined, documented and approved post-

exercise evaluation and reporting processes?

□

Are plans updated based on exercise results?

□

Is there a clearly defined, documented and approved

maintenance program?

□

Does the maintenance program address all IT disaster

recovery activities?

□

Does the maintenance program address all IT suppliers,

e.g., service-level agreements?

□

Are non-compliant maintenance issues escalated to ensure

they are made compliant?

□

Does the maintenance process provide a clearly defined,

documented and approved process for ensuring that all

changes to strategy and/or plans are reflected in

exercising, training and awareness programs?

□

Are plans audited at least annually, if not more frequently?

□

Is there a clearly defined, documented and approved audit

cycle and program?

□

If external auditors are needed, doe the plan provide a list

Planning Criteria

Yes

Comments

of qualified auditors?

□

Is an audit report produced after each audit?

□

Is there a process for continuous improvement of the

overall program?