CIO Wiki

  • Recent changes
  • Random page
  • Help about MediaWiki
  • What links here
  • Related changes
  • Special pages
  • Printable version
  • Permanent link
  • Page information
  • View source

Disaster Recovery Plan (DRP)

A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. [1]

A Disaster Recovery Plan (DRP) is a business plan that describes how work can be resumed quickly and effectively after a disaster. Disaster recovery planning is just part of business continuity planning and is applied to aspects of an organization that rely on an IT infrastructure to function. The overall idea is to develop a plan that will allow the IT department to recover enough data and system functionality to allow a business or organization to operate - even possibly at a minimal level. The creation of a DRP begins with a DRP proposal to achieve upper-level management support. Then a business impact analysis (BIA) is needed to determine which business functions are the most critical and the requirements to get the IT components of those functions operational again after a disaster, either on-site or off-site. [2]

Disaster Recovery Plan

Scope and Objectives of a Disaster Recovery Plan [3] The Disaster Recovery Plan provides a state of readiness allowing prompt personnel response after a disaster has occurred. This, in turn, provides for a more effective and efficient recovery effort. The Disaster Recovery Plan should be developed to accomplish the following objectives: 1. Limit the magnitude of any loss by minimizing the duration of a critical application service interruption. 2. Assess the damage, repair the damage, and activate the repaired computer center. 3. Recover data and information imperative to the operation of critical application’s. 4. Manage the recovery operation in an organized and effective manner. 5. Prepare technology personnel to respond effectively in disaster recovery situations. Every business has the responsibility to respond to any short or long-term disruption of services. By developing, documenting, implementing, and testing this Disaster Recovery Plan, businesses will be able to restore the availability of critical applications in a timely and organized manner following a disaster occurrence. In order to accomplish these objectives, the technology area will depend on support from senior management, end users, and staff departments. Disaster Recovery Plan activities are initiated by a situation or disaster alert procedure. After the discovery of an incident, technology management will be informed of a potential disaster at the computer center. The Recovery Management Team will perform an assessment of the situation and determine if there is a need to declare a disaster and activate the Disaster Recovery Plan. When the Plan is activated, assigned recovery personnel will be alerted and directed to activate their recovery procedures.

Types of Disaster Recovery Plan (DRP) [4] There is no one right type of disaster recovery plan, nor is there a one-size-fits-all disaster recovery plan. However, there are three basic strategies that feature in all disaster recovery plans: (1) preventive measures, (2) detective measures, and (3) corrective measures. Preventive measures will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. They are designed to mitigate or prevent an event from happening. These measures may include keeping data backed up and off-site, using surge protectors, installing generators, and conducting routine inspections. Detective measures are taken to discover the presence of any unwanted events within the IT infrastructure. Their aim is to uncover new potential threats. They may detect or uncover unwanted events. These measures include installing fire alarms, using up-to-date antivirus software, holding employee training sessions, and installing server and network monitoring software. Corrective measures are aimed to restore a system after a disaster or otherwise unwanted event takes place. These measures focus on fixing or restoring the systems after a disaster. Corrective measures may include keeping critical documents in the Disaster Recovery Plan or securing proper insurance policies after a "lessons learned" brainstorming session. A disaster recovery plan must answer at least three basic questions: (1) what is its objective and purpose, (2) who will be the people or teams who will be responsible in case any disruptions happen, and (3) what will these people do (the procedures to be followed) when the disaster strikes.

Stages of a Disaster Recovery Plan [5] The goal of a DRP is to resume normal computing capabilities in as little time as possible. A typical DRP has several stages, including the following:

  • Understanding an organization's activities and how all of its resources are interconnected.
  • Assessing an organization's vulnerability in all areas, including operating procedures, physical space and equipment, data integrity and contingency planning.
  • Understanding how all levels of the organization would be affected in the event of a disaster.
  • Developing a short-term recovery plan.
  • Developing a long-term recovery plan, including how to return to normal business operations and prioritizing the order of functions that are resumed.
  • Testing and consistently maintaining and updating the plan as the business changes.

Phases in Developing an Effective Disaster Recovery Plan (DRP) [6]

  • Business Impact Analysis (BIA): Performing a careful and complete Business Impact Analysis (BIA) is critical to developing an effective Disaster Recovery Plan. During this phase, system requirements, functions, and interdependencies are analyzed — the results are then used to identify system contingencies as well as set priorities. The Business Impact Analysis drives the Disaster Recovery Plan by identifying the applications and systems that will significantly impact the business in the event of a disaster. During this phase, it is vital that input be obtained from departments across the enterprise, from Human Resources and Customer Service, to Information Technology and Accounting . In addition to using this information gathering to define critical time frame, the BIA is also an effective strategy to educate the enterprise on the need for a Disaster Recovery Plan and to identify any alternative manual procedures that could potentially minimize the impact of an interruption in system availability.
  • Defining RPO and RTO: Critical to BIA is determining the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) . The RPO is the point in time to which data must be recovered; the RTO is the overall length of time an IT component can be in recovery before it negatively impacts critical business processes. The analysis is important because different applications and IT components will have different RPOs and RTOs. For example, an application that supports a mission -critical application, such as customer order processing, may have a short RPO/RTO, while an application that runs an internal, non-customer facing of low import may have a much longer RPO/RTO.
  • Architecting Your Recovery Strategies Developing a solid Disaster Recovery strategy requires a comprehensive approach. Key items that need to be considered include network requirements, infrastructure needs, data recovery, data and record management, security, and compliance . After the critical applications and data recovery objectives are identified, the company needs to architect the specific strategies and solutions to make sure the recovery objectives for applications, network, and data are restored in the appropriate timeframes. Meeting these recovery objectives may involve deploying new architecture , tools, and infrastructure internally or with the assistance of an external service provider. Options to be considered include electronic vaulting, tape retention, or a dual data center approach.
  • Testing and Training: Performing thorough analysis and developing sound recovery strategies are critical to a solid Disaster Recovery Plan; however, testing the plan and training staff on executing the plan is vital to successful DR planning. The only way to validate that your plan will work is to test the plan on a regular basis and put a function in place to ensure it is updated to reflect changes in the environment. There are various levels of testing, with varying degrees of involvement - from a structured walk-through with key technical resources verbally assessing the plan, to simulation testing where a disaster is simulated so the plan can be implemented, to full interruption testing, in which the disaster recovery plan is activated in total. The organization needs to establish the testing required to effectively assess the validity of the plan. In tandem with testing the plan is the need to train assigned personnel both on their roles in the disaster recovery scenario and on the broader content of the plan itself. Like testing, the organization needs to regularly revisit the training plan to address the organizational changes, new hires, and attrition that are inevitable.

Key Elements of a Disaster Recovery Plan (DRP) [7] Ensuring that your assets, data and hardware are protected is only part of a disaster recovery plan – the rest is determining a process for how quickly you can be back up and running. Rather than scrambling to put the pieces back together after a major storm, it’s time to put a plan in place. Here are the seven key elements of a business disaster recovery plan.

  • Communication Plan and Role Assignments: When it comes to a disaster, communication is of the essence. A plan is essential because it puts all employees on the same page and ensures clearly outlines all communication. Documents should have all updated employee contact information and employees should understand exactly what their role is in the days following the disaster. Assignments like setting up workstations, assessing damage, redirecting phones and other tasks will need assignments if you don’t have some sort of technical resource to help you sort through everything.
  • Plan For Your Equipment: It’s important you have a plan for how to protect your equipment when a major storm is approaching. You’ll need to get all equipment off the floor, moved into a room with no windows, and wrapped securely in plastic to ensure that no water can get to the equipment. It’s obviously best to completely seal equipment to keep it safe from flooding, but sometimes in cases of extreme flooding, this isn’t an option.
  • Data Continuity System: As you create your disaster recovery plan, you’ll want to explore exactly what your business requires in order to run. You need to understand exactly what your organization needs operationally, and financially, with regard to supplies, and with communications. Whether you’re a large consumer business that needs to fulfill shipments and communicate with its customers about those shipments or a small business-to-business organization with multiple employees – you should document what your needs are so that you can make the plans for backup, business continuity, and have a full understanding of the needs and logistics surrounding those plans.
  • Backup check: Make sure that your backup is running and include running an additional full local backup on all servers and data in your disaster preparation plan. Run them as far in advance as possible and make sure that they’re backed up to a location that will not be impacted by the disaster. It is also prudent to place that backup on an external hard drive that you can take with you offsite, just as an additional measure should anything happen.
  • Detailed Asset Inventory: In your disaster preparation plan, you should have a detailed inventory of workstations, their components, servers, printers, scanners, phones, tablets, and other technologies that you and your employees use on a daily basis. This will give you a quick reference for insurance claims after a major disaster by providing your adjuster with a simple list (with photos) of any inventory you have.
  • Pictures Of the Office and Equipment (before and after prep): In addition to the photos that you should have of individual inventory items, you’ll want to take photos of the office and your equipment to prove that those items were actively in use by your employees and that you took the necessary diligence to move your equipment out of harm's way to prepare for the storm.
  • Vendor Communication and Service Restoration Plan: After a storm passes, you’ll want to begin running as quickly as possible. Make sure that you include vendor communication as part of your plan. Check with your local power provider to assess the likelihood of power surges or outages while damage is repaired in the area. You’ll also want to include checking with your phone and internet providers on restoration and access.

Testing Criteria and Procedures for Disaster Recovery Plans [8] Best practices dictate that DR plans be thoroughly tested and evaluated on a regular basis (at least annually). Thorough DR plans include documentation with the procedures for testing the plan. The tests will provide the organization with the assurance that all necessary steps are included in the plan. Other reasons for testing include:

  • Determining the feasibility and compatibility of backup facilities and procedures.
  • Identifying areas in the plan that need modification.
  • Providing training to the team managers and team members.
  • Demonstrating the ability of the organization to recover.
  • Providing motivation for maintaining and updating the disaster recovery plan.

Reviewing a Disaster Recovery Plan [9] The National Institute of Standards and Technology (NIST) is a good resource for standards and guidelines to help businesses build a solid IT recovery plan. In its Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, recommendations are outlined to help organizations systematically review their plans to identify gaps that need to be addressed. There are three common ways to review a plan:

  • Testing the system. An organization can test the system. Tests often focus on recovery and backup operations. An example would be removing power from a system to evaluate how quickly the organization can recover.
  • Conducting a tabletop exercise. These are discussion-based exercises where a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.
  • Conducting a functional exercise. This allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner. The goal is to exercise the roles and responsibilities of specific team members, procedures and assets involved in one of more aspects of the recovery plan.

Disaster Recovery Plan Mistakes to Avoid (See Figure Below) [10] 1. Not Updating Your DRBC Plan: Many businesses will create a recovery plan and put it on the shelf to gather dust. This is a crucial mistake that should be avoided at all costs. Businesses experience turnover and the names and responsibilities on the plan will change. If the employee assigned to a task leaves your company and a new employee is not assigned to that task when disaster strikes nobody will do the task. The best practice would be to update your plan a minimum of once a year. 2. Having Only One Person Creating The DR Plan: Once you begin creating a DR plan you will realize how complex and time intensive it can be. There are many levels and facets to a great DR plan. You need the input of various employees from different departments in your organization to insure you have considered every contingency. Create a Disaster Recovery (DR) plan team that can work together and separately on creating the entire plan. 3. Thinking Your Insurance Policy and DR Plan Are The Same Thing: Having good insurance is a vital part of your DR Plan but it is only a part. You will need to know how to keep your company running while you are waiting for the insurance company to write you a check. Customers understand that disasters happen, but they expect companies to have a contingency plan in place to lessen the disruption of service. 4. Not Running Drills: Employees need to be trained on what to expect if a disaster happens. If they have tasks to complete, they need to have that knowledge before an actual disaster occurs. Employees and their alternates should practice their tasks to make sure they fully understand how to execute them. Finding out in a drill that someone is unable to complete their task is much better than when an active event occurs. 5. Depending On A Phone Tree: Communication during a disaster is critical. Phone trees are notorious for failing a few levels in. You need to make sure you have a reliable communication plan in place. Put your employees, vendors, and important clients' contact information in your plan for easy access. Consider hosting your plan on a platform that offers a communication feature like the one in Stay in Business. 6. Over-Assigning DR Duties To Employees: If the same employee is given the majority of the tasks to do, your company’s recovery time will be slowed. Only assign tasks to the same person that they can reasonably complete. Assigning teams to a task can help alleviate this problem. While one person needs to be responsible for overseeing the task gets done, multiple people can help accomplish it. 7. Not Tracking When Tasks Get Done: During the confusion that can occur because of a disaster, keeping track of what has been done and what still needs to be started can be a hard job. Employee accountability for starting and completing their tasks can be simplified by a tracking system or checklist. The more you can automate your reporting needs, the easier the recovery will be. 8. Not Learning From Disaster: When your company has been restored to normal operations and the disaster declared over, your DR planning is not done. Now is the time to go over what happened and how you can improve your plan for the next event. No plan is perfect, but a well-thought-out plan, that is allowed to change when new information is presented, has a better chance of protecting your employees and assets. In the end isn’t that why you made a plan in the first place?

Disaster Recovery Plan Mistakes

Benefits of a Disaster Recovery Plan [11] There are many benefits to having a disaster recovery plan, but the biggest benefit is the level of disaster preparedness one can only get by taking the time to make develop a plan. A backup and disaster recovery plan is designed to keep business going after a disaster. It’s really a matter of saving your business from the cost of downtime. Just know that the benefits of having a disaster recovery plan are more than just readiness. Here are a few reasons you should consider making a disaster recovery plan that you may not have considered.

  • Asset and Inventory Management: The first part of a good backup and recovery plan is thorough documentation, which involves understanding equipment inventory. This is useful for identifying which pieces of equipment you have, which are extra but may come in handy, and which are completely superfluous. Any good IT administrator knows which equipment he or she has and where to find it. That way if there is a problem, whether small or large, spare equipment is quickly accessible. Good asset management also helps prevent employee theft, which can certainly happen at any organization.
  • Network Management: How can you successfully manage a network if you don’t know everything about it? Detailed documentation as part of a good backup and recovery plan helps you clearly understand the way a network is functioning, which allows you to remedy issues quickly. So if there’s a simple problem like a busted router or something awful like a server failure, you can handle it. RMM tools are great for this because they can help you document networked equipment automatically. Still, there’s a physical aspect that you shouldn’t ignore. Taking photos of equipment set ups - particularly in server rooms or closest - can be useful as well.
  • Task Redundancy: Part of your disaster plan involves making sure at least two people can do any one task. This keeps you covered in an emergency, but it doesn’t have to be a full on disaster for task redundancy to be useful. Have you ever had somebody leave on vacation, call in sick, or leave the company abruptly and on poor terms? This can cause huge problems if that person is the only one who can do a critical task. Not only that, but what about less critical tasks? As an example, suppose you need a person to perform a network diagnosis before you can fix something, but only that one person has the capability. If that person is too busy, it can create a bottle neck and you’re sitting around waiting. You could save time if only you could quickly do it yourself.
  • Cost Savings: We mentioned that good documentation can result in better management, but it can also help you identify areas where you could be saving money, particularly if it’s time for a hardware upgrade. Why run three separate servers when you can run three virtual servers on one physical piece of equipment? Your eagle-eye view can help you see where the cost savings might be and where you might be able to go virtual or to the cloud.
  • Ability to Test: How can you test a plan you don’t have? If you have a disaster recovery plan you can run through what would happen in various scenarios, which allows you to see your recovery in action. If you’re an IT provider, this also helps you establish trust with clients who can actually watch your test and see that you can deliver on any promises you’ve made.

Disaster Recovery Planning Business Continuity Business Continuity Plan (BCP) Business Continuity Planning (BCP) Risk Management Enterprise Risk Management (ERM) Crisis Management

  • ↑ Definition of Disaster Recovery Plan ScienceDaily
  • ↑ What is Disaster Recovery Plan Techopedia
  • ↑ Scope and Objectives of a Disaster Recovery Plan Sans Institute
  • ↑ Types of Disaster Recovery Plan (DRP) [1]
  • ↑ Stages of a Disaster Recovery Plan Webopedia
  • ↑ The Four Phases in Developing an Effective Disaster Recovery Plan (DRP) secure24
  • ↑ Key Elements of a Disaster Recovery Plan (DRP) Kyle Cebull
  • ↑ Developing Testing Criteria and Procedures for Disaster Recovery Plans Wikipedia
  • ↑ Different ways to Review a Disaster Recovery Plan BerganKDV
  • ↑ 8 Disaster Recovery Plan Mistakes Companies Make SIB/Amala
  • ↑ Benefits of a Disaster Recovery Plan ACD Communications

Further Reading

  • How Effective Is Your Disaster Recovery Plan? Forbes
  • Information Technology Disaster Recovery Plan SOU
  • Guidelines for Generating a Disaster Recovery Plan University of Arizona
  • 10 Essential Steps to Developing an IT Disaster Recovery Plan That Works Cloed Endure
  • 8 ingredients of an effective disaster recovery plan cio.com
  • 7 things your IT disaster recovery plan should cover CSO Online
  • The Importance Of A Disaster Recovery Plan Iron Mountain
  • Español – América Latina
  • Português – Brasil

What is a Disaster Recovery Plan?

Disaster recovery (DR) is an organization’s ability to restore access and functionality to IT infrastructure after a disaster event, whether natural or caused by human action (or error). DR is considered a subset of business continuity, explicitly focusing on ensuring that the IT systems that support critical business functions are operational as soon as possible after a disruptive event occurs.

Today, disaster recovery planning is crucial for any business, especially those operating either partially or entirely in the cloud. Disasters that interrupt service and cause data loss can happen anytime without warning—your network could have an outage, a critical bug could get released, or your business might have to weather a natural disaster. Organizations with robust and well-tested disaster recovery strategies can minimize the impact of disruptions, achieve faster recovery times, and resume core operations rapidly when things go awry.   

Learn more about Google Cloud backup and disaster recovery features and products and how they can be used to build the right DR solution for your business.

IT disaster recovery defined

IT disaster recovery is a portfolio of policies, tools, and processes used to recover or continue operations of critical IT infrastructure, software, and systems after a natural or human-made disaster.

The first and foremost aspect of a disaster recovery plan is cloud. The cloud is considered the best solution for both business continuity and disaster recovery. The cloud eliminates the need to run a separate disaster recovery data center (or recovery site). 

What is a disaster recovery site? 

It’s a second, physical data center that’s costly to build and maintain—and with the cloud, made unnecessary.

What is considered a disaster?

Dr planning and strategies focus on responding to and recovering from disasters—events that disrupt or completely stop a business from operating..

While these events can be natural disasters like a hurricane, they can also be caused by a severe system failure, an intentional attack, or even human error. 

Types of disasters can include: 

  • Natural disasters (for example, earthquakes, floods, tornados, hurricanes, or wildfires)
  • Pandemics and epidemics
  • Cyber attacks (for example, malware, DDoS, and ransomware attacks)
  • Other intentional, human-caused threats such as terrorist or biochemical attacks
  • Technological hazards (for example, power outages, pipeline explosions, and transportation accidents)
  • Machine and hardware failure 

Importance of disaster recovery

Technology plays an increasingly important role in every aspect of business, with applications and services enabling companies to be more agile, available, and connected. This trend has contributed to the widespread adoption of cloud computing by organizations to drive growth, innovation, and exceptional customer experience. 

However, the migration to cloud environments—public, private, hybrid, or multicloud—and the rise of remote workforces are introducing more infrastructure complexity and potential risks. Disaster recovery for cloud-based systems is critical to an overall business continuity strategy. A system breakdown or unplanned downtime can have serious consequences for enterprises that rely heavily on cloud-based resources, applications, documents, and data storage to keep things running smoothly. 

In addition, data privacy laws and standards stipulate that most organizations are now required to have a disaster recovery strategy. Failure to follow DR plans can result in compliance violations and steep regulatory fines. 

Every business needs to be able to recover quickly from any event that stops day-to-day operations, no matter what industry or size. Without a disaster recovery plan, a company can suffer data loss, reduced productivity, out-of-budget expenses, and reputational damage that can lead to lost customers and revenue. 

How disaster recovery works

Disaster recovery relies on having a solid plan to get critical applications and infrastructure up and running after an outage—ideally within minutes..

An effective DR plan addresses three different elements for recovery: 

  • Preventive: Ensuring your systems are as secure and reliable as possible, using tools and techniques to prevent a disaster from occurring in the first place. This may include backing up critical data or continuously monitoring environments for configuration errors and compliance violations. 
  • Detective: For rapid recovery, you’ll need to know when a response is necessary. These measures focus on detecting or discovering unwanted events as they happen in real time. 
  • Corrective: These measures are aimed at planning for potential DR scenarios, ensuring backup operations to reduce impact, and putting recovery procedures into action to restore data and systems quickly when the time comes. 

Typically, disaster recovery involves securely replicating and backing up critical data and workloads to a secondary location or multiple locations—disaster recovery sites. A disaster recovery site can be used to recover data from the most recent backup or a previous point in time. Organizations can also switch to using a DR site if the primary location and its systems fail due to an unforeseen event until the primary one is restored.

Types of disaster recovery

The types of disaster recovery you’ll need will depend on your it infrastructure, the type of backup and recovery you use, and the assets you need to protect..

Here are some of the most common technologies and techniques used in disaster recovery: 

  • Backups: With backups, you back up data to an offsite system or ship an external drive to an offsite location. However, backups do not include any IT infrastructure, so they are not considered a full disaster recovery solution. 
  • Backup as a service (BaaS): Similar to remote data backups, BaaS solutions provide regular data backups offered by a third-party provider. 
  • Disaster recovery as a service (DRaaS): Many cloud providers offer DRaaS, along with cloud service models like IaaS and PaaS . A DRaaS service model allows you to back up your data and IT infrastructure and host them on a third-party provider’s cloud infrastructure. During a crisis, the provider will implement and orchestrate your DR plan to help recover access and functionality with minimal interruption to operations.  
  • Point-in-time snapshots: Also known as point-in-time copies, snapshots replicate data, files, or even an entire database at a specific point in time. Snapshots can be used to restore data as long as the copy is stored in a location unaffected by the event. However, some data loss can occur depending on when the snapshot was made. 
  • Virtual DR: Virtual DR solutions allow you to back up operations and data or even create a complete replica of your IT infrastructure and run it on offsite virtual machines (VMs). In the event of a disaster, you can reload your backup and resume operation quickly. This solution requires frequent data and workload transfers to be effective. 
  • Disaster recovery sites: These are locations that organizations can temporarily use after a disaster event, which contain backups of data, systems, and other technology infrastructure.

Benefits of disaster recovery

Stronger business continuity.

Every second counts when your business goes offline, impacting productivity, customer experience, and your company’s reputation. Disaster recovery helps safeguard critical business operations by ensuring they can recover with minimal or no interruption. 

Enhanced security

DR plans use data backup and other procedures that strengthen your security posture and limit the impact of attacks and other security risks. For example, cloud-based disaster recovery solutions offer built-in security capabilities, such as advanced encryption, identity and access management, and organizational policy. 

Faster recovery

Disaster recovery solutions make restoring your data and workloads easier so you can get business operations back online quickly after a catastrophic event. DR plans leverage data replication and often rely on automated recovery to minimize downtime and data loss.

Reduced recovery costs

The monetary impacts of a disaster event can be significant, ranging from loss of business and productivity to data privacy penalties to ransoms. With disaster recovery, you can avoid, or at least minimize, some of these costs. Cloud DR processes can also reduce the operating costs of running and maintaining a secondary location.

High availability

Many cloud-based services come with high availability (HA) features that can support your DR strategy. HA capabilities help ensure an agreed level of performance and offer built-in redundancy and automatic failover, protecting data against equipment failure and other smaller-scale events that may impact data availability. 

Better compliance

DR planning supports compliance requirements by considering potential risks and defining a set of specific procedures and protections for your data and workloads in the event of a disaster. This usually includes strong data backup practices, DR sites, and regularly testing your DR plan to ensure that your organization is prepared. 

Planning a disaster recovery strategy

A comprehensive disaster recovery strategy should include detailed emergency response requirements, backup operations, and recovery procedures. DR strategies and plans often help form a broader business continuity strategy, which includes contingency plans to mitigate impact beyond IT infrastructure and systems, allowing all business areas to resume normal operations as soon as possible. 

When it comes to creating disaster recovery strategies, you should carefully consider the following key metrics: 

  • Recovery time objective (RTO): The maximum acceptable length of time that systems and applications can be down without causing significant damage to the business. For example, some applications can be offline for an hour, while others might need to recover in minutes.
  • Recovery point objective (RPO) : The maximum age of data you need to recover to resume operations after a major event. RPO helps to define the frequency of backups. 

These metrics are particularly useful when conducting risk assessments and business impact analysis (BIA) for potential disasters, from moderate to worst-case scenarios. Risk assessments and BIAs evaluate all functional areas of a business and the consequences of any risks, which can help define DR goals and the actions needed to achieve them before or after an event occurs. 

When creating your recovery strategy, it’s useful to consider your RTO and RPO values and pick a DR pattern that will enable you to meet those values and your overall goals. Typically, the smaller your values (or the faster your applications need to recover after an interruption), the higher the cost to run your application. 

Cloud disaster recovery can greatly reduce the costs of RTO and RPO when it comes to fulfilling on-premises requirements for capacity, security, network infrastructure, bandwidth, support, and facilities. A highly managed service on Google Cloud can help you avoid most, if not all, complicating factors and allow you to reduce many business costs significantly. 

For more guidance on using Google Cloud to address disaster recovery, you can read our Disaster recovery planning guide or contact your account manager for help with creating a DR plan.

Solve your business challenges with Google Cloud

What is disaster recovery used for, ensure business resilience.

No matter what happens, a good DR plan can ensure that the business can return to full operations rapidly, without losing data or transactions.

Maintain competitiveness

When a business goes offline, customers are rarely loyal. They turn to competitors to get the goods or services they require. A DR plan prevents this.

Avoid regulatory risks

Many industries have regulations dictating where data can be stored and how it must be protected. Heavy fines result if these mandates are not met.

Avoid data loss

The longer a business’s systems are down, the greater the risk that data will be lost. A robust DR plan minimizes this risk.

Keep customers happy

Meeting customer service level agreements (SLAs) is always a priority. A well-executed DR plan can help businesses achieve SLAs despite challenges.

Maintain reputation

A business that has trouble resuming operations after an outage can suffer brand damage. For that reason, a solid DR plan is critical.

Related products and services

Google offers many products that can be used as building blocks when creating a secure and reliable DR plan, including Cloud Storage .

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Start your next project, explore interactive tutorials, and manage your account.

  • Need help getting started? Contact sales
  • Work with a trusted partner Find a partner
  • Continue browsing See all products
  • Get tips & best practices See tutorials
  • UpGuard BreachSight
  • UpGuard Vendor Risk

Product Features

Vendor risk assessments, security questionnaires.

  • Security Ratings

Data Leak Detection

  • Integrations
  • Financial Services

eBooks, Reports, & more

What is a disaster recovery plan + complete checklist.

Kyle Chin

A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business’ critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyber attacks , system failures, power outages, natural disasters, equipment failures, or infrastructure disasters.

More specifically, a disaster recovery plan measures how capable an organization’s ability to restore IT infrastructure functionality and access to critical data, regardless of the disaster event.

A DRP should identify the responsibilities of staff within the organization, outline the step-by-step instructions for the disaster recovery process, and create plans to mitigate and reduce the impact of the incident so that the company can resume basic operations.

Why Is Having a Disaster Recovery Plan Important?

Disaster recovery plans are just one part of an overall security plan and should be established and implemented along with business continuity plans and incident response plans . Without these plans in place, companies can suffer catastrophic damage in form of data loss, data exposure, significantly reduced productivity, penalties and fines, reputational damage, lost revenue, and unplanned recovery expenses.

Creating disaster recovery plans, along with business continuity and incident response plans, can help build confidence with stakeholders, investors, clients, and business partners that demonstrate the capability and preparation to deal with any incident.

What is a Business Continuity Plan?

A business continuity plan (BCP) is similar to a disaster recovery plan, but a continuity plan is an overarching plan that outlines the steps needed for a business to continue operating in the event of an incident or disaster. A disaster recovery plan considers a more structured approach to the recovery process rather than the continuity process.

Learn more about business continuity plans >

What is an Incident Response Plan?

Incident response plans are critical to any security program because they provide detailed actions for responding and reacting to specific incidents. An incident response plan is focused on handling a cybersecurity incident and its fallout from start to finish, whereas a DR plan is a more robust plan that considers the potential of serious damage to the whole enterprise and how to restore technology.

Learn more about incident response plans >

Disaster Recovery Plan Checklist

Clear disaster response procedures are critical. Implementing disaster recovery quickly minimizes damage and speeds up recovery. The first few hours, in particular, can be critical. The disaster recovery plan’s emergency response procedures section should comprise clear, practical steps in language sufficient for widespread understanding.

A disaster recovery plan should be organized by location and type of disaster. No single disaster recovery plan template exists because every business is different, but a comprehensive disaster recovery plan should cover the following factors:

1. Perform a Business Impact Analysis (BIA)

A business impact analysis should be performed before creating a disaster recovery or business continuity plan . The analysis should determine the entire scope of potential aftereffects and impacts in case of a disruption to critical business operations.

Each potential disaster scenario must be planned for, and the systems and subsequent parties that will be affected must also be identified to determine which business components must be protected first to continue operating. The main difference between a BIA and BCP is that a BIA assesses the potential impact while a BCP outlines a plan based on the BIA to ensure operations are minimally affected.

Impacts that should be considered include:

  • Loss of sales or income
  • Cost of recovery (time, labor, equipment, staffing, public relations)
  • Total business downtime
  • Regulatory fines for failed compliance
  • Damage to reputation or customer trust

Ultimately, a BIA provides the necessary context and data for businesses to progress in their risk management and disaster recovery processes.

2. Perform Risk Analysis and Vulnerability Assessments

Risk analysis and vulnerability assessments identify the biggest threats and vulnerabilities that could potentially affect the business. The risk and vulnerability assessment process is designed to help businesses prioritize risk and vulnerability mitigation processes.

Different threats and vulnerabilities can affect different industries, so it’s important to identify which ones pose the biggest risk to your organization. Risks should be classified by the likelihood of occurrence and impact on assets, so the company can begin to plan business recovery processes surrounding those threats.

Risk analyses are important to anticipate and plan for the worst-case scenario and have plans in place to minimize the impact of a critical disaster. Once the risks and vulnerabilities have been identified, businesses can begin to build a risk management plan.

Risk analysis can be accomplished in two ways: qualitative and quantitative risk analysis methods . Qualitative risk analysis assesses risk using subjective data (such as perceived reputational impact) and hypothetical scenarios to determine disaster impact. Quantitative risk analysis measures risk through statistical probabilities and estimated quantifiable impact to determine risk tolerance and risk management cost investments.

Both processes should be conducted together to have a complete overview of the organization’s risk acceptance and resilience, which can then be used to make more informed business decisions.

Learn more about how to perform a cyber risk analysis >

2. Identify Roles and Responsibilities

A disaster recovery plan needs to define the roles and responsibilities of the disaster recovery team or those within the organization responsible for the following processes:

  • Maintaining business continuity systems
  • Incident reporting to executive management, stakeholders, and related authorities
  • Who is in charge of overseeing the crisis and ensuring recovery
  • Team members’ roles in securing and protecting critical business components
  • Contacting third-party vendors or affected parties
  • Liaising with people external to the organization, such as customers, clients, and the press

3. Take Inventory of Assets

To properly manage a cyber incident or cyber threat , it’s important to understand the complete overview of the assets an organization handles. Taking inventory of the organization’s IT infrastructure, including hardware, software, applications, and critical data allows the organization to prioritize the most valuable systems and assets to protect.

Asset inventory should be updated regularly in the disaster recovery plan, especially if there are large changes to the asset management strategy. To facilitate prioritization, the inventory should categorize inventory as follows:

  • Critical assets essential to business operations
  • Important assets, such as applications used once or more per day and whose absence would disrupt typical operations
  • Unimportant assets, which are accessed or used less than once per day

Sensitive data , such as payment details, intellectual property, and personally identifiable information (PII) , can also be subject to compliance requirements . A disaster recovery plan needs to address how critical data is handled during a crisis or disaster in relation to compliance standards.

In addition, it’s important to note that the people with the authority to access sensitive data during normal business operations may differ from those who can access sensitive data during a disaster to ensure its safety.

4. Disaster Recovery Sites

Disaster recovery sites refer to where the company’s assets are located and where they will be moved if disaster strikes. Businesses need to have the sites defined ahead of time should an incident occur, whether the assets are physical or digital.

The three types of recovery sites are as follows:

  • Cold sites — Used to store data backups but cannot immediately run systems.
  • Warm sites — Functional data centers that allow access to critical systems. However, up-to-date customer data may be unavailable.
  • Hot sites — Functioning data centers that contain IT equipment and personnel to use it, as well as up-to-date customer data.

In the event that businesses are still using physical documents and storage media that are still important to business operations, the disaster recovery plan also needs to include where these physical copies will be stored offsite in case of disaster.

As good practice, recovery sites and data backups should be updated regularly. Organizations should implement backup procedures at least a few times per week to ensure business continuity.

5. Disaster Recovery Testing

Much a fire or earthquake drill, it’s necessary to test the disaster recovery procedure and its procedures at least once a year. The plan should be tested in a simulated situation that varies in complexity to ensure protection against all threats.

Testing phases should accomplish the following steps:

  • Identify faults and inconsistencies within the plan that can lead to potential miscommunication or improper incident management
  • Ensure all relevant team members know their specific roles, duties, and workloads
  • Simulate a live cyber attack or other disasters
  • Test success of recovery site upload and backup processes

Regular testing should include updates to the plan and any new threats or vulnerabilities that pose a risk to critical assets.

6. Communication or Reporting Plan

Communicating information about the nature, impact, and cause of a disaster can be critical to the company’s reputation. Timely communication and incident reporting may also be required to comply with cybersecurity regulations . Therefore, the disaster recovery plan needs to define who will deliver what information to whom in the event of a disaster.

Parties that need to be kept up to date will include any or all of the following:

  • Stakeholders or investors
  • Executive management
  • Staff and employees
  • Relevant third-party vendors
  • Governing authorities
  • Customers and clients
  • Media outlets and press
  • Legal counsel

To ensure that communication is clear and prompt, the plan should outline who has primary communication responsibilities and which communication channels they should use.

7. Minimum Physical Facility Requirements

A part of the disaster recovery plan should include the minimum physical facilities a business needs to operate if its usual facility is rendered unusable by a disaster, such as an earthquake. Minimum physical facility requirements should include how much space is required, where it needs to be located, and what equipment is required.

8. RTO and RPO

As part of the disaster recovery planning process, businesses also need to define its RTO and RPO as part of its recovery strategy:

  • Recovery Time Objective (RTO) - A business’s RTO is how long it can tolerate an interruption to normal operations. This can be anything from a few minutes to many hours, depending on the nature of the business.
  • Recovery Point Objective (RPO) - The RPO refers to how much data the organization can stand to lose and is normally measured in time, such as an hour of data or 24 hours of data. A business that backs up once daily considers its RPO 24 hours.

Benefits of a Disaster Recovery Plan

Ultimately, the aim of a thorough disaster recovery plan is to facilitate faster response and smoother restoration if disaster strikes, such as a data breach or cyber attack that results in data loss or downtime .

With the increasing prevalence of cyber attacks and human error in the information technology (IT) sphere involving malware like ransomware , affected businesses are seeing rising costs and damages due to poor recovery execution and extended downtimes. It’s imperative to have strong disaster recovery processes as part of the entire business strategy

  • Lower Cyber Insurance Premiums - The modern threat landscape is such that more businesses require cyber insurance to protect themselves in case of a severe cyber attack. The cyber liability insurance industry has reached a point where it can no longer insure all businesses unless they have clearly defined security programs that minimize its overall risk. Having a disaster recovery plan can significantly lower the overall risk profile of a business and thus lower the associated cyber liability insurance premiums .
  • Fewer Recovery Costs - Formal policies and procedures demonstrating a firm’s preparedness for unplanned events can also lower costs during a data breach by helping team members respond to the issues, shortening the data breach lifecycle. The more time that is spent responding to the disaster can lead to increased damages and loss of business.
  • Minimal Penalties - In heavily-regulated sectors like healthcare or public entities, penalties for a data breach and non-compliance with cybersecurity regulations can be costly. The longer a data breach lasts, the more significant the potential penalties can be for non-compliance. A business with a disaster recovery plan will likely recover far more quickly than a company without one.
  • Minimal Business Interruption - Anything facilitating restoring technology will reduce costs for the organization if an unplanned incident interrupts operations. An excellent IT disaster recovery plan can differentiate between minimal impact and complete operational shutdown. When a cyber attack or another incident interrupts critical services, organizations must do all they can to restore technology and normal business processes as quickly as possible.

What Is a Disaster Recovery as a Service (DRaaS)?

A DRaaS provider is a third-party provider that uses cloud technology to facilitate rapid restoration of data servers and applications in case of an emergency or disaster.

A third-party solution provider’s security policies and procedures will impact data and database recovery, so it’s highly recommended to work with a trusted vendor that includes data protection as a core part of their offering. Subscribers should also consider the capacity of the provider to ensure it can handle the data transfer required for backing up and restoring the business’s information systems effectively.

Cloud disaster recovery solutions can have the following benefits for modern businesses.

  • Connectivity - One of the benefits of DRaaS is that restorations can be initiated from any location using various kinds of computers, which is ideal in a disaster scenario that may affect physical locations and data. It makes sense to use a provider in another region to avoid the likelihood of the DRaaS provider being affected by the same physical disaster as the subscriber. This way, a business affected by a geographically-specific disaster can use cloud services to create a functional data center in a new location to restore its applications and customer data.
  • Instant Mirroring - Another benefit of DRaaS is that they mirror data changes instantly. This cloud service creates a backup database server that copies the master database server created on the fly. With such a system, restoration can be performed from a point seconds before an outage.
  • Cost-Effective - For many organizations, migrating to cloud services for data management and disaster recovery processes is a cost-effective contingency plan for disruptive events. Excellent cloud service DR providers provide around-the-clock data protection and data management , keeping software up-to-date and monitoring the network to prevent data breaches in the first place. They can also respond quickly and automatically in the event of a disaster.

Reviewed by

Kaushik Sen

Kaushik Sen

Ready to see upguard in action, join 27,000+ cybersecurity newsletter subscribers.

 alt=

Related posts

The top cybersecurity websites and blogs of 2023.

Abi Tyas Tunggal

14 Cybersecurity Metrics + KPIs You Must Track in 2024

What are security ratings cyber performance scoring explained, why is cybersecurity important, what is typosquatting (and how to prevent it), introducing upguard's new sig lite questionnaire.

Caitlin Postal

  • Product Video
  • Release notes
  • SecurityScorecard
  • All comparisons
  • Security Reports
  • Instant Security Score
  • Third-Party Risk Management
  • Attack Surface Management
  • Cybersecurity

Choose region and language

  • Brasil Português
  • Mexico Español
  • United States + Canada English

Asia-Pacific

  • Chinese Simplified 简体中文
  • Chinese Traditional 繁體中文
  • Indonesia Bahasa Indonesia
  • Singapore English
  • Vietnam Tiếng Việt
  • India हिन्दी

What is a disaster recovery plan (DRP) and how to create one?

Acronis

Disasters that affect your IT capabilities happen more often than you think, but only 6% are caused by a natural disaster. The vast majority of disasters that cause significant IT downtime are human error, hardware and software failure, and cyberattacks. There are even stories circulating that talk of how a newly hired IT technician inadvertently deleted all company data on his first day!

During the past three years, 93% of businesses have been hit by a natural or human-made disaster – and many of these organizations could not recover.  

Whether your organization is large or small, the only way to prepare for a disaster is to develop and exercise a disaster recovery plan.

What is a disaster recovery plan (DRP)?

An IT disaster recovery plan (DRP ) is a written document that spells out the policies, step-by-step procedures, and responsibilities to recover an organization's IT systems and data and get IT operations back up and running when a disaster happens. This plan is a sub-component of the organization's  Business Continuity Plan (BCP) .

Once developed, the DR plan must be tested (or exercised) to ensure that the IT team can fully recover the organization's IT systems regardless of the type of disaster. 

Disasters arrive unannounced, so it is essential to get an IT DR plan in place as soon as possible. A fully operational plan will help minimize risk exposure, reduce disruption, and ensure economic stability. It will also reduce insurance premiums and potential liability, and ensure your organization complies with regulatory requirements. Most importantly, a well-executed plan can save your organization thousands – even hundreds of thousands – of dollars in the event of a disaster.

Data is a valuable asset: Customer data; financial, human resource, and R&D documents; and emails are irreplaceable. Each document represents hours of work, and the ability to retrieve it is essential. To determine how much a disaster can cost your organization, consider the cost of system downtime – the impact on employee productivity, the loss of billable hours, missed sales from a down e-commerce website, and penalties for failure to meet regulatory compliance obligations.

In a worst-case scenario, your DR plan may save your company.  

Acronis

What are the different Types of Disaster Recovery Plans?

There are four types of disaster recovery plans.

Virtualized Disaster Recovery Plan

With a virtual DR plan, your IT organization replicates the entire IT infrastructure and stores it on an  offsite Virtual Machine (VM) . Since VMs are hardware independent, you do not need the same hardware as the primary site, so you can quickly  back up your systems  and data to dissimilar hardware. When a disaster happens, you can failover IT operations to the offsite VM and recover from a disaster in just a few minutes. 

Network Disaster Recovery Plan

A disaster recovery plan helps your IT team respond to an unplanned interruption of network services during a disaster, including voice, data, internet, etc. The plan must include procedures for recovering an organization's network operations, including local area networks (LANs), wide-area networks (WANs), and wireless networks.

An unplanned interruption of network services can range from performance degradation to a complete outage.

Cloud Disaster Recovery Plan

With this type of plan, your systems and data are backed up to a public cloud located at least 150 miles from the primary site. When a disaster happens, IT can easily failover their operations to the disaster recovery site and fail back to the same or new hardware – even if that hardware is dissimilar - to resume normal operations. Public  cloud DR services  are available pay-as-you-go and can be accessed from anywhere.

Data Center Disaster Recovery Plan

This type of plan requires your organization to set up a separate facility only used when a disaster happens. There are three primary types of disaster recovery data centers - cold, warm, and hot.

  • A cold DR site is an office or data center located away from the primary site with power, heat, air conditioning, etc. but no running IT systems. Depending on the length of the disaster, an organization may install the necessary systems after the disaster hits.
  • A warm DR site offers office space and a technology infrastructure used when a disaster hits the primary site. A warm site has power, heat, air conditioning, network connectivity, and redundant hardware/software already up and running.  Backups  from the primary to the warm site are performed daily or weekly, which can result in some data loss. 
  • A hot site offers office space and a complete replica of the primary site's IT infrastructure, systems, applications, and up-to-date data. A hot site enables rapid recovery of all business processes. It is most expensive to maintain compared to other data center types, but, for many businesses, it's the most optimal solution.

The disaster recovery process

Every business needs a disaster recovery plan unique to its data requirements. To define the best approach for your business, you must weigh the value of your data, systems, and applications against the risk your organization can afford to assume. When creating disaster recovery plans, be sure to include the following steps:  

  • Establish a planning group.
  • Perform a risk assessment and define an acceptable  Recovery Point Objective (RPO)  and Recovery Time Objective (RTO).
  • Prepare an inventory of IT assets.
  • Identify dependencies and establish priorities.
  • Develop recovery strategies.
  • Develop a communication plan.
  • Develop documentation, verification criteria, procedures, and responsibilities.
  • Test, test, test the plan.
  • Implement the plan.
  • Maintain the IT infrastructure.

What are the five major elements of a disaster recovery plan?

We've outlined the basic steps in disaster recovery planning. Now, let's explore the five primary elements of a DR plan below.

Assign it recovery management team

A dedicated disaster recovery plan requires proper development, updates, and testing. It's best to form a dedicated disaster recovery team to cover all of those. Ideally, the team should include managers and employees from all branches of your organization.

The team's ultimate purpose is to design, develop, implement, test, and upgrade the DR plan to ensure you can recover core business services as quickly as possible following a disaster.

Moreover, the DR team should assign specific roles for each team member and their contact details in the DR plan document. The plan should also identify the first contact point (a responsible individual) in the event of a disaster.

Lastly, all company staff must have access to the detailed disaster recovery plan, know the disaster recovery processes, and understand their specific roles to cut down recovery time and quickly resume key operations after a disaster occurs.

Identify potential disaster risks

Organizations must identify potential data risks - human-made, due to natural disaster or cyber-attacks. Restoring important systems and business operations in a disaster can reduce downtime and minimize financial and reputational loss, which is critical to your company's success.

Once you've identified the potential risks applicable to your company, you can calculate the Recovery point objective (RPO) and Recovery time objectives (RTOs). Having a precise RPO and RTO lets you manage disaster recovery systems easier, thus leading to a smooth and rapid restoration.

Classify critical data, apps, and resources

The next step comprises your company's critical systems - apps, data, documents, and resources. (buildings, machinery, onsite IT infrastructure, human and intellectual resources, etc.)

The DRP should focus on successful contingency planning - how to continue revenue generation and ensure cash flow as a short-term goal. In the mid-and-long term, the DRP must define how to get your entire system back up and running to resume normal operations.

Outline and specify backup and offsite disaster recovery procedures

You can rely on a  Disaster-recovery-as-a-Service (DRaaS)  to manage onsite and offsite coordination or use a robust disaster recovery solution to manage the process individually.

In both cases, you should aim to present the disaster recovery plan strategies to all data-processing personnel, assign critical business operations, outline backup operations procedures, and determine internal recovery strategies for your primary business site and emergency response procedures for your offsite disaster recovery sites.

(if you rely on a fully-equipped secondary site, you should also create an alternate hot site plan; if you rely on a mobile data center, you should implement a mobile site setup plan)

Test and polish the plan

As your company grows, your DR risks and needs will also evolve. For example, if your company opens a new data center, it should be reflected in your DRP as soon as possible.

If you have more than one alternate site, it's best to use full resiliency program management. Bringing all of your information services backup procedures under one umbrella will let you design an appropriate emergency response for your data processing operations, mitigate business continuity risks, and, ultimately, enable rapid recovery to resume normal operations in the event of power outages and natural disasters.

Moreover, you will benefit from disaster recovery automation, which simplifies testing all technology recovery strategies. A tested disaster recovery plan ensures continuous innovation in line with the increased risk to your company data. Be it during power outages, natural disasters, or cyber-attacks, your organization will be prepared to restore even complex business operations rapidly.

What should you avoid during disaster recovery planning?

A disaster can cause chaos and create an environment where your DR team members make mistakes. To overcome this challenge, build your list of do's and don'ts for plan development and use it before, during, and after the crisis.

Here is a quick synopsis of some of the most important “dos and don'ts.”

What not to do:

  • Do not discount the importance of an IT disaster recovery plan because you have backups or have implemented high availability. You need such a plan no matter what!
  • Do not consider DR an expense. It's an investment.
  • Do not apply a single data protection strategy to all applications.
  • Do not assume that your network can handle the traffic during an emergency. Identify alternative forms of communication if you cannot use the network.
  • Do not create a DR plan just for the sake of having one or to simply satisfy executive management and your auditors.
  • Do not simplify disaster recovery process milestones. It may speed up the planning phase but will rarely be optimal in the long run.

What to do:

  • Be sure to get sponsorship for the DR plan from the executive team.
  • Look for disaster recovery plan examples to use as a template to speed the development and improve the accuracy of your plan.
  • Include key contact members from various departments in your planning committee. Include decision-makers from multiple departments - financial associates, customer service representatives, and IT personnel.
  • Safeguard data not stored centrally, including data stored on desktops, laptops, and mobile devices. Also, consider the following:
  • Virtual environments
  • Application-specific agents
  • Snapshot storage requirements
  • Server activation and documentation
  • Backup and recovery
  • Create a disaster recovery plan checklist to use as a quick reference when developing the DR plan and during an actual disaster. A list helps your team work quickly and perform tasks accurately.
  • Perform end-user acceptance testing.
  • Be sure to test a broad range of disaster scenarios regularly.
  • Update and test your disaster recovery plan regularly.
  • Choose a DR location that is not too close to your production site and can be remotely activated in the event of an emergency.
  • Plan frequent meetings to ensure that resources are still available during a disaster.

How are DR and business continuity plans different?

DR addresses the recovery of IT infrastructure during or following disruptive events. DR relies on data security services to restore critical systems and complement your business continuity planning (BCP).

A good disaster recovery plan ensures you can always access essential company data. Focusing on the bigger picture, BCP encompasses all necessary precautions to safeguard your data and employees to ensure continuous business operations.

BCP focuses on optimizing your data processing system, disaster site rebuilding, enterprise resource management, and more to ensure no unforeseen event will disrupt your business processes.

Your BCP team must examine all disaster recovery plan examples created by your DR team, consult on the best one, and implement it to fortify your backup system, minimize your Recovery Time Objective, and turn the perceived disaster recovery complexity into an understandable, easy-to-follow guideline for all responsible employees.

Disaster recovery plan templates

If you are a small- to medium-sized business (SMB), consider using an IT disaster recovery plan template to help guide you and your team through the plan development process.

There are many DR and business recovery plan templates available on the internet, including templates offered by Solutions Review, Smartsheet, and template.net. You can also find IT disaster recovery templates for small businesses at SupremusGroup. 

If this is the first time your organization is developing a plan, using a DR plan template ensures you do not miss important steps in the process and eliminates the costs associated with engaging a consultant. 

Testing your DR plan

You must test your disaster recovery plan and ensure you have all the elements in place for a successful test. This includes having a detailed script of test activities, ensuring that all IT components are in place and ready to use, documenting what happens during the test, and preparing a post-DR-test, after-action review.

Finding the right DRP solution

Implementing your DR plan means you'll need to find a DR solution that fits your IT requirements and is realistic about managing and testing. Many SMBs now work with managed service providers (MSPs) who deliver and administer their IT needs – outsourcing the expense of that mission-critical expertise. Many of those MSPs offer managed DR services that are built on Acronis'  disaster recovery solution . That's because, with Acronis, an MSP can add disaster recovery to your backup in a matter of minutes – so not only will you have backups that protect your data, applications, and systems, but when disaster strikes, you can spin up your IT systems in the cloud to keep your organization running. After the disaster passes, you'll be able to easily recover to the same, new, or dissimilar hardware.

How to Develop a Disaster Recovery Plan for Your IT Systems

About Acronis

Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 1,800 employees in 45 locations. The Acronis Cyber Protect Cloud solution is available in 26 languages in over 150 countries and is used by 20,000 service providers to protect over 750,000 businesses.

How the New Acronis #CyberFit Academy Empowers Partners asdasd…

As the novel coronavirus/COVID-19 continues to spread, impacting individuals, organizations, and communities across the globe, we want to share how Acronis is responding to the pandemic.

New update adds vulnerability assessments to Acronis True …

Working from home has become a critical part of containing the virus, but for small to mid-size businesses tackling remote work for the first time, there are security considerations to keep in mind.

With the coronavirus on the verge of being declared a global pandemic and thousands dead in its wake, there are sick attempts by criminals to scam unsuspected victims to profit from the illness.

Looking Forward to Better Days

Travel may be restricted and conferences canceled, but this crisis will eventually pass. To give us something to look forward to, let’s look at the session tracks for the 2020 Acronis Global Cyber Summit.

© 2024 Acronis International GmbH. Rheinweg 9, 8200 Schaffhausen, Switzerland. © All rights reserved.

Your information is used in accordance with our privacy statement . You receive this email because you are subscribed for a blog newsletter.

  • Customer Service
  • Send Feedback
  • Manage Subscriptions
  • Company Blog

More from Acronis

Acronis

2023 AWS Global Storage Partner of the Year | 2023 AWS Global Storage PoY | Schedule a meeting

Disaster Recovery Plan

Disaster recovery plan definition.

What is a disaster recovery plan? A disaster recovery plan (DRP), disaster recovery implementation plan, or IT disaster recovery plan is a recorded policy and/or process that is designed to assist an organization in executing recovery processes in response to a disaster to protect business IT infrastructure and more generally promote recovery.

The purpose of a disaster recovery plan is to comprehensively explain the consistent actions that must be taken before, during, and after a natural or man-made disaster so that the entire team can take those actions. A disaster recovery plan should address both man-made disasters that are intentional, such as fallout from terrorism or hacking, or accidental, such as an equipment failure.

What is a disaster recovery plan ?

Organizations of all sizes generate and manage massive amounts of data, much of it mission critical. The impact of corruption or data loss from human error, hardware failure, malware, or hacking can be substantial. Therefore, it is essential to create a disaster recovery plan for the restoration of business data from a data backup image.

It is most effective to develop an information technology (IT) disaster recovery plan in conjunction with the business continuity plan (BCP). A business continuity plan is a complete organizational plan that consists of five components:

1. Business resumption plan 2. Occupant emergency plan 3. Continuity of operations plan 4. Incident management plan (IMP) 5. Disaster recovery plan

Generally, components one through three do not touch upon IT infrastructure at all. The incident management plan typically establishes procedures and a structure to address cyber attacks against IT systems during normal times, so it does not deal with the IT infrastructure during disaster recovery. For this reason, the disaster recovery plan is the only component of the BCP of interest to IT.

Among the first steps in developing such adisaster recovery strategy is business impact analysis, during which the team should develop IT priorities and recovery time objectives. The team should time technology recovery strategies for restoring applications, hardware, and data to meet business recovery needs.

Every situation is unique and there is no single correct way to develop a disaster recovery plan. However, there are three principal goals of disaster recovery that form the core of most DRPs:

  • prevention, including proper backups, generators, and surge protectors
  • detection of new potential threats, a natural byproduct of routine inspections
  • correction, which might include holding a “lessons learned” brainstorming session and securing proper insurance policies

What should a disaster recovery plan include?

Although specific disaster recovery plan formats may vary, the structure of a disaster recovery plan should include several features:

Goals A statement of goals will outline what the organization wants to achieve during or after a disaster, including the recovery time objective (RTO) and the recovery point objective (RPO). The recovery point objective refers to how much data (in terms of the most recent changes) the company is willing to lose after a disaster occurs. For example, an RPO might be to lose no more than one hour of data, which means data backups must occur at least every hour to meet this objective.

Recovery time objective or RTO refers to the acceptable downtime after an outage before business processes and systems must be restored to operation. For example, the business must be able to return to operations within 4 hours in order to avoid unacceptable impacts to business continuity.

Personnel Every disaster recovery plan must detail the personnel who are responsible for the execution of the DR plan, and make provisions for individual people becoming unavailable.

IT inventory An updated IT inventory must list the details about all hardware and software assets, as well as any cloud services necessary for the company’s operation, including whether or not they are business critical, and whether they are owned, leased, or used as a service.

Backup procedures The DRP must set forth how each data resource is backed up – exactly where, on which devices and in which folders, and how the team should recover each resource from backup.

Disaster recovery procedures These specific procedures, distinct from backup procedures, should detail all emergency responses, including last-minute backups, mitigation procedures, limitation of damages, and eradication of cybersecurity threats.

Disaster recovery sites Any robust disaster recovery plan should designate a hot disaster recovery site. Located remotely, all data can be frequently backed up to or replicated at a hot disaster recovery site — an alternative data center holding all critical systems. This way, when disaster strikes, operations can be instantly switched over to the hot site.

Restoration procedures Finally, follow best practices to ensure a disaster recovery plan includes detailed restoration procedures for recovering from a loss of full systems operations. In other words, every detail to get each aspect of the business back online should be in the plan, even if you start with a disaster recovery plan template. Here are some procedures to consider at each step.

Include not just objectives such as the results of risk analysis and RPOs, RTOs, and SLAs, but also a structured approach for meeting these goals. The DRP must address each type of downtime and disaster with a step-by-step plan, including data loss, flooding, natural disasters, power outages, ransomware, server failure, site-wide outages, and other issues. Be sure to enrich any IT disaster recovery plan template with these critical details.

Create a list of IT staff including contact information, roles, and responsibilities. Ensure each team member is familiar with the company disaster recovery plan before it is needed so that individual team members have the necessary access levels and passwords to meet their responsibilities. Always designate alternates for any emergency, even if you think your team can’t be affected.

Address business continuity planning and disaster recovery by providing details about mission-critical applications in your DRP. Include accountable parties for both troubleshooting any issues and ensuring operations are running smoothly. If your organization will use cloud backup services or disaster recovery services, vendor name and contact information, and a list of authorized employees who can request support during a disaster should be in the plan; ideally the vendor and organizational contacts should know of each other.

Media communication best practices are also part of a robust disaster recovery and business continuity plan. A designated public relations contact and media plan are particularly useful to high profile organizations, enterprises, and users who need 24/7 availability, such as government agencies or healthcare providers. Look for disaster recovery plan examples in your industry or vertical for specific best practices and language.

Benefits of a disaster recovery plan

Obviously, a disaster recovery plan details scenarios for reducing interruptions and resuming operations rapidly in the aftermath of a disaster. It is a central piece of the business continuity plan and should be designed to prevent data loss and enable sufficient IT recovery.

Beyond the clear benefit of improved business continuity under any circumstances, having a company disaster recovery plan can help an organization in several other important ways.

Cost-efficiency Disaster recovery plans include various components that improve cost-efficiency. The most important elements include prevention, detection, and correction, as discussed above. Preventative measures reduce the risks from man-made disasters. Detection measures are designed to quickly identify problems when they do happen, and corrective measures restore lost data and enable a rapid resumption of operations.

Achieving cost-efficiency goals demands regular maintenance of IT systems in their optimal condition, high-level analysis of potential threats, and implementation of innovative cybersecurity solutions. Keeping software updated and systems optimally maintained saves time and is more cost-effective. Adopting cloud-based data management as a part of disaster recovery planning can further reduce the costs of backups and maintenance.

Increased productivity Designating specific roles and responsibilities along with accountability as a disaster recovery plan demands increases effectiveness and productivity in your team. It also ensures redundancies in personnel for key tasks, improving sick day productivity, and reducing the costs of turnover.

Improved customer retention Customers do not easily forgive failures or downtime, especially if they result in loss of sensitive data. Disaster recovery planning helps organizations meet and maintain a higher quality of service in every situation. Reducing the risks your customers face from data loss and downtime ensures they receive better service from you during and after a disaster, shoring up their loyalty.

Compliance Enterprise business users, financial markets, healthcare patients, and government entities, all rely on availability, uptime, and the disaster recovery plans of important organizations. These organizations in turn rely on their DRPs to stay compliant with industry regulations such as HIPAA and FINRA.

Scalability Planning disaster recovery allows businesses to identify innovative solutions to reduce the costs of archive maintenance, backups, and recovery. Cloud-based data storage and related technologies enhance and simplify the process and add flexibility and scalability.

The disaster recovery planning process can reduce the risk of human error, eliminate superfluous hardware, and streamline the entire IT process. In this way, the planning process itself becomes one of the advantages of disaster recovery planning, streamlining the business, and rendering it more profitable and resilient before anything ever goes wrong.

Ways to develop a disaster recovery plan

There are several steps in the development of a disaster recovery plan. Although these may vary somewhat based on the organization, here are the basic disaster recovery plan steps:

Risk assessment First, perform a risk assessment and business impact analysis (BIA) that addresses many potential disasters. Analyze each functional area of the organization to determine possible consequences from middle of the road scenarios to “worst-case” situations, such as total loss of the main building. Robust disaster recovery plans set goals by evaluating risks up front, as part of the larger business continuity plan, to allow critical business operations to continue for customers and users as IT addresses the event and its fallout.

Consider infrastructure and geographical risk factors in your risk analysis. For example, the ability of employees to access the data center in case of a natural disaster, whether or not you use cloud backup, and whether you have a single site or multiple sites are all relevant here. Be sure to include this information, even if you’re working from a sample disaster recovery plan.

Evaluate critical needs Next, establish priorities for operations and processing by evaluating the critical needs of each department. Prepare written agreements for selected alternatives, and include details specifying all special security procedures, availability, cost, duration, guarantee of compatibility, hours of operation, what constitutes an emergency, non-mainframe resource requirements, system testing, termination conditions, a procedure notifying users of system changes, personnel requirements, specs on required processing hardware and other equipment, a service extension negotiation process, and other contractual issues.

Set disaster recovery plan objectives Create a list of mission-critical operations to plan for business continuity, and then determine which data, applications, equipment, or user accesses are necessary to support those functions. Based on the cost of downtime, determine each function’s recovery time objective (RTO). This is the target amount of time in hours, minutes, or seconds an operation or application can be offline without an unacceptable business impact.

Determine the recovery point objective (RPO), or the point in time back to which you must recover the application. This is essentially the amount of data the organization can afford to lose.

Assess any service level agreements (SLAs) that your organization has promised to users, executives, or other stakeholders.

Collect data and create the written document Collect data for your plan using pre-formatted forms as needed. Data to collect in this stage may include:

  • lists (critical contact information list, backup employee position listing, master vendor list, master call list, notification checklist)
  • inventories (communications equipment, data center computer hardware, documentation, forms, insurance policies, microcomputer hardware and software, office equipment, off-site storage location equipment, workgroup hardware, etc.)
  • schedules for software and data files backup/retention
  • procedures for system restore/recovery
  • temporary disaster recovery locations
  • other documentation, inventories, lists, and materials

Organize and use the collected data in your written, documented plan.

Test and revise Next, develop criteria and procedures for testing the plan. This is essential to ensure the organization has adopted compatible, feasible backup procedures and facilities, and to identify areas that should be modified. It also allows the team to be trained, and proves the value of the DRP and ability of the organization to withstand disasters.

Finally, test the plan based on the criteria and procedures. Conduct an initial dry run or structured walk-through test and correct any problems, ideally outside normal operational hours. Types of business disaster recovery plan tests include: disaster recovery plan checklist tests, full interruption tests, parallel tests, and simulation tests.

The recovery point objective, or RPO, refers to how much data (in terms of the most recent changes) the company is willing to lose after a disaster occurs. For example, an RPO might be to lose no more than one hour of data, which means data backups must occur at least every hour to meet this objective.

The RPO answers this question: “How much data could be lost without significantly impacting the business?”

Example: If the RPO for a business is 20 hours and the last available good copy of data after an outage is 18 hours old, we are still within the RPO’s parameters.

In other words, the RTO answers the question: “How much time after notification of business process disruption should it take to recover?”

To compare RPO and RTO , consider that RPO means a variable amount of data that would need to be re-entered after a loss or would be lost altogether during network downtime. In contrast, RTO refers to how much real time can elapse before the disruption unacceptably impedes normal business operations.

It is important to expose the gap between actuals and objectives set forth in the disaster recovery plan. Only business disruption and disaster rehearsals can expose actuals—specifically Recovery Point Actual (RPA) and Recovery Time Actual (RTA). Refining these differences brings the plan up to speed.

Strategies and tools for a disaster recovery plan

The right strategies and tools help implement a disaster recovery plan.

Traditional on-premises recovery strategies The IT team should develop disaster recovery strategies for IT applications, systems, and data. This includes desktops, data, networks, connectivity, servers, wireless devices, and laptops. Identify IT resources that support time-sensitive business processes and functions so their recovery times match.

Information technology systems require connectivity, data, hardware, and software. The entire system may fail due to a single component, so recovery strategies should anticipate the loss of one or more of these system components:

  • Secure, climate-controlled computer room environment with backup power supply
  • Connectivity to a service provider
  • Hardware such as desktop and laptop computers, networks, wireless devices and peripherals, and servers
  • Software applications such as electronic mail, electronic data interchange, enterprise resource management, and office productivity

Data and restoration For business applications that cannot tolerate downtime, actual parallel computing, data mirroring, or multiple data center synchronization is possible yet costly. Other solutions for mission critical business applications and sensitive data include cloud backup and cloud-native disaster recovery, which reduce the need for expensive hardware and IT infrastructure.

Internal recovery strategies Some enterprises store data at multiple facilities and configure hardware to run similar applications from data center to data center when needed. Assuming off-site data backup or data mirroring are taking place, processing can continue and data can be restored at an alternate site under these circumstances. However, this is a costly solution, and one that demands an internal solution that is itself infallible.

Cloud-based disaster recovery strategies Cloud-based vendors offer Disaster recovery as a service (DRaaS), which are essentially “hot sites” for IT disaster recovery hosted in the cloud. DRaaS leverages the cloud to provide fully configured recovery sites that mirror the applications in the local data center. This allows users a more immediate response, allowing them the ability to recover critical applications in the cloud, keeping them ready for use at the time of a disaster.

Vendors can host and manage applications, data security services, and data streams, enabling access to information via web browser at the primary business site or other sites. These vendors can typically enhance cybersecurity because their ongoing monitoring for outages offers data filtering and detection of malware threats. If the vendor detects an outage at the client site, they hold all client data automatically until the system is restored. In this sense, the cloud is essential to security planning and disaster recovery.

Does Druva offer a cloud disaster recovery plan ?

With Druva’s cloud-native disaster recovery plan, workloads on-premises or in the cloud back up directly to the Druva Cloud Platform, built on AWS. This eliminates recovery complexities by enabling automated runbook execution and one-click disaster recovery. Druva’s cloud-native disaster recovery includes failover and failback, either back to on-premises systems or to any AWS region or account without hardware, a managed DR site, or excessive administration.

Watch the video below for a demo, and discover Druva's innovative one-click solutions for on-premises and cloud workloads on the disaster recovery page of the website .

Related Terms

Now that you’ve learned about the disaster recovery plan, brush up on these related terms with Druva’s glossary:

  • What is cyber resilience?
  • What is an RPO?
  • What is an RTO?
  • Bahasa Indonesia
  • Sign out of AWS Builder ID
  • AWS Management Console
  • Account Settings
  • Billing & Cost Management
  • Security Credentials
  • AWS Personal Health Dashboard
  • Support Center
  • Expert Help
  • Knowledge Center
  • AWS Support Overview
  • AWS re:Post
  • What is Cloud Computing?
  • Cloud Computing Concepts Hub

What is Disaster Recovery?

Disaster recovery is the process by which an organization anticipates and addresses technology-related disasters. The process of preparing for and recovering from any event that prevents a workload or system from fulfilling its business objectives in its primary deployed location, such as power outages, natural events, or security issues. Disaster recovery targets are measured with Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). The failures handled by disaster recovery tend to be rarer than those covered by high availability and are larger scale disaster events. Disaster recovery includes an organization's procedures and policies to recover quickly from such events.

Why is disaster recovery important?

A disaster is an unexpected problem resulting in a slowdown, interruption, or network outage in an IT system. Outages come in many forms, including the following examples:

  • An earthquake or fire
  • Technology failures
  • System incompatibilities
  • Simple human error 
  • Intentional unauthorized access by third parties

These disasters disrupt business operations, cause customer service problems, and result in revenue loss. A disaster recovery plan helps organizations respond promptly to disruptive events and provides key benefits.

Ensures business continuity

When a disaster strikes, it can be detrimental to all aspects of the business and is often costly. It also interrupts normal business operations, as the team’s productivity is reduced due to limited access to tools they require to work. A disaster recovery plan prompts the quick restart of backup systems and data so that operations can continue as scheduled. 

Enhances system security

Integrating data protection, backup, and restoring processes into a disaster recovery plan limits the impact of ransomware, malware, or other security risks for business. For example, data backups to the cloud have numerous built-in security features to limit suspicious activity before it impacts the business. 

Improves customer retention

If a disaster occurs, customers question the reliability of an organization’s security practices and services. The longer a disaster impacts a business, the greater the customer frustration. A good disaster recovery plan mitigates this risk by training employees to handle customer inquiries. Customers gain confidence when they observe that the business is well-prepared to handle any disaster. 

Reduces recovery costs

Depending on its severity, a disaster causes both loss of income and productivity. A robust disaster recovery plan avoids unnecessary losses as systems return to normal soon after the incident. For example, cloud storage solutions are a cost-effective data backup method. You can manage, monitor, and maintain data while the business operates as usual. 

How does disaster recovery work?

Disaster recovery focuses on getting applications up and running within minutes of an outage. Organizations address the following three components.

To reduce the likelihood of a technology-related disaster, businesses need a plan to ensure that all key systems are as reliable and secure as possible. Because humans cannot control a natural disaster, prevention only applies to network problems, security risks, and human errors. You must set up the right tools and techniques to prevent disaster. For example, system-testing software that auto-checks all new configuration files before applying them can prevent configuration mistakes and failures. 

Anticipation

Anticipation includes predicting possible future disasters, knowing the consequences, and planning appropriate disaster recovery procedures. It is challenging to predict what can happen, but you can come up with a disaster recovery solution with knowledge from previous situations and analysis. For example, backing up all critical business data to the cloud in anticipation of future hardware failure of on-premises devices is a pragmatic approach to data management.

Mitigation is how a business responds after a disaster scenario. A mitigation strategy aims to reduce the negative impact on normal business procedures. All key stakeholders know what to do in the event of a disaster, including the following steps.

  • Updating documentation
  • Conducting regular disaster recovery testing
  • Identifying manual operating procedures in the event of an outage
  • Coordinating a disaster recovery strategy with corresponding personnel

disaster recovery plan wikipedia

What are the key elements of a disaster recovery plan?

An effective disaster recovery plan includes the following key elements. 

Internal and external communication

The team responsible for creating, implementing, and managing the disaster recovery plan must communicate with each other about their roles and responsibilities. If a disaster happens, the team should know who is responsible for what and how to communicate with employees, customers, and each other. 

Recovery timeline

The disaster recovery team must decide on goals and time frames for when systems should be back to normal operations after a disaster. Some industries’ timelines may be longer than others, while others need to be back to normal in a matter of minutes. 

The timeline should address the following two objectives.

Recovery time objective 

The recovery time objective (RTO) is a metric that determines the maximum amount of time that passes before you complete disaster recovery. Your RTOs may vary depending on impacted IT infrastructure and systems.

Recovery point objective

A recovery point objective (RPO) is the maximum amount of time acceptable for data loss after a disaster. For example, if your RPO is minutes or hours, you will have to back up your data constantly to mirror sites instead of just once at the end of the day.

Data backups

The disaster recovery plan determines how you back up your data. Options include cloud storage, vendor-supported backups, and internal offsite data backups. To account for natural disaster events, backups should not be onsite. The team should determine who will back up the data, what information will be backed up, and how to implement the system.

Testing and optimization 

You must test your disaster recovery plan at least once or twice per year. You can document and fix any gaps that you identify in these tests. Similarly, you should update all security and data protection strategies frequently to prevent inadvertent unauthorized access.

How can you create a disaster recovery team?

A disaster recovery team includes a collaborative team of experts, such as IT specialists and individuals in leadership roles, who will be crucial to the team. You should have somebody on the team who takes care of the following key areas.

Crisis management

The individual in charge of crisis management implements the disaster recovery plan right away. They communicate with other team members and customers, and they coordinate the disaster recovery process. 

Business continuity

The business continuity manager ensures that the disaster recovery plan aligns with results from business impact analysis. They include business continuity planning in the disaster recovery strategy. 

Impact recovery and assessment

Impact assessment managers are experts in IT infrastructure and business applications. They assess and fix network infrastructure, servers, and databases. They also manage other disaster recovery tasks, such as the following examples.

  • Application integrations
  • Data consistency maintenance
  • Application settings and configuration

What are the best disaster recovery methods?

When disaster recovery planning, businesses implement one or several of the following methods.

Backing up data is one of the easiest methods of disaster recovery that all businesses implement. Backing up important data entails storing data offsite, in the cloud, or on a removable drive. You should back up data frequently to keep it up to date. For example, by backing up to AWS , businesses get a flexible and scalable infrastructure that protects all data types. 

Data center disaster recovery

In the event of certain types of natural disasters, appropriate equipment can protect your data center and contribute to rapid disaster recovery. For example, fire suppression tools help equipment and data survive through a blaze, and backup power sources support businesses’ continuity in case of power failure. Similarly, AWS data centers have innovative systems that protect them from human-made and natural risks.

Virtualization 

Businesses back up their data and operations using offsite virtual machines (VMs) not affected by physical disasters. With virtualization as part of the disaster recovery plan, businesses automate some processes, recovering faster from a natural disaster. The continuous transfer of data and workloads to VMs like Amazon Elastic Compute Cloud (Amazon EC2) is essential for effective virtualization. 

Disaster recovery as a service

Disaster recovery services like AWS Elastic Disaster Recovery can move a company’s computer processing and critical business operations to its own cloud services in the event of a disaster. Therefore, normal operations can continue from the provider’s location, even if on-premises servers are down. Elastic Disaster Recovery also protects from Regions in the cloud going down. 

In the event of a natural disaster, a company moves its operations to another rarely used physical location, called a cold site. This way, employees have a place to work, and business functions can continue as normal. This type of disaster recovery does not protect or recover important data, so another disaster recovery method must be used alongside this one.    

How can AWS help with disaster recovery?

Elastic Disaster Recovery is a disaster recovery service that reduces downtime and data loss with the fast, reliable recovery of on-premises and cloud-based applications. It can decrease your RPO to seconds and RTO to just a few minutes. You can quickly recover operations after unexpected events, such as software issues or data center hardware failures. It is also a flexible solution, so you can add or remove replicating servers and test various applications without specialized skill sets.

Elastic Disaster Recovery includes the following benefits.

  • Reduces costs by removing idle recovery site resources, so you pay for the full disaster recovery site only when needed
  • Converts cloud-based applications to run natively on AWS
  • Restores applications within minutes, at their most up-to-date state, or from a previous point in time in case of security incidents

Get started with disaster recovery on AWS by creating an AWS account today. 

Next steps on AWS

disaster recovery plan wikipedia

Ending Support for Internet Explorer

bitcatcha

Bitcatcha > How To Make A Website > What Is Disaster Recovery Plan? (A Guide For Website Owners)

What Is Disaster Recovery Plan? (A Guide For Website Owners)

disaster recovery plan wikipedia

In today’s digital age, websites are essential to any business or organization. Websites can be used to market products and services, communicate with customers, and provide important information.

However, websites are also vulnerable to threats, including natural disasters, cyber-attacks, and technical failures. As a website owner, it is crucial to have a disaster recovery plan in place to minimize the impact of these threats and keep your site running smoothly.

Table of Contents

  • What are some potential disasters for websites?
  • How to create a website disaster recovery plan
  • Make use of disaster recovery checklist templates
  • How to test and update your website disaster recovery plan
  • Helpful tools and services for website disaster recovery

What Are Some Potential Disasters for Websites?

global hazards

When developing a disaster recovery plan for your website, it is essential to identify potential disasters that could impact your website. Here are some examples of potential disasters to consider when developing your disaster recovery plan:

  • Natural disasters Natural disasters such as hurricanes, earthquakes, tornadoes, floods, and wildfires can cause physical damage to your website infrastructure and disrupt your operations. It is essential to have plans to protect your physical assets and data and ensure your employees’ safety.
  • Cyber threats Cyber threats like hacking, malware, phishing attacks , and ransomware can compromise your website security, steal sensitive information, and cause downtime. It is vital to have cybersecurity measures in place to prevent these threats and a plan to respond to them in case of an attack.
  • Technical failures Technical failures such as server crashes, power outages, and network failures can cause downtime and data loss. It is crucial to have backup and recovery procedures in place to minimize the impact of these failures and ensure your website’s continuity.
  • Human errors Human errors such as accidental deletions, misconfigurations, and software bugs can also cause downtime and data loss. It is essential to have procedures to prevent these errors and backup and recovery procedures in case they occur.

How To Create a Website Disaster Recovery Plan

risk planning

Knowing the potential disasters for a website can aid in creating your disaster recovery plan. Remember that your disaster recovery plan should include the following key elements:

  • Start with a risk assessment The first step in developing a disaster recovery plan is assessing your website’s potential risks. This includes identifying potential natural disasters, cyber threats, and technical failures that could impact your website. A risk assessment should also consider the impact of these events on your website, including downtime, data loss, and financial losses.
  • Backup and recovery A disaster recovery plan should include procedures for backing up your website data and systems. This includes regularly backing up your website files and databases and developing a plan for restoring your website in the event of a disaster.
  • Communication plan A communication plan is critical for ensuring key stakeholders are informed and involved in disaster recovery. This includes employees, customers, and vendors. The communication plan should outline how to notify stakeholders of a disaster, the steps to recover, and how stakeholders can get updates.
  • Response procedures A disaster recovery plan should include response procedures for different types of disasters. This includes procedures for responding to natural disasters, cyber-attacks, and technical failures. Response procedures should outline the steps to minimize the disaster’s impact and recover quickly.
  • Testing and maintenance A disaster recovery plan should be regularly updated to ensure effectiveness. This includes testing backup and recovery procedures and testing response procedures for different types of disasters. Regular maintenance and updates are also necessary to ensure the plan remains relevant and practical.

Make Use of Disaster Recovery Checklist Templates

disaster recovery checklist

A disaster recovery checklist can help ensure your website recovery plan is thorough and complete. Here are some templates for pre-disaster, disaster, and post-disaster checklists that you can use as a starting point:

Pre-disaster checklist:

  • Create a list of critical components of your website.
  • Determine recovery objectives for each critical component.
  • Choose a backup strategy for each critical component.
  • Select a backup solution.
  • Test your disaster recovery plan regularly.
  • Train your staff on the disaster recovery plan.
  • Document the disaster recovery plan and store it in a secure location.
  • Develop a communication plan for stakeholders.
  • Review and update the disaster recovery plan regularly.

Disaster checklist:

  • Ensure the safety of all personnel.
  • Notify stakeholders of the disaster and its impact.
  • Implement the disaster recovery plan.
  • Restore backups of critical components.
  • Monitor the recovery process.
  • Test the recovered components to ensure functionality.
  • Implement additional security measures as needed.
  • Communicate status updates to stakeholders.
  • Coordinate with vendors or third-party services as needed.

Post-disaster checklist:

  • Review the disaster recovery plan and identify any areas for improvement.
  • Assess the effectiveness of the disaster recovery plan.
  • Determine the cause of the disaster and implement measures to prevent a recurrence.
  • Conduct a debriefing with staff and stakeholders to gather feedback and identify opportunities for improvement.
  • Review and update the disaster recovery plan as needed.
  • Communicate the post-disaster assessment and recovery plan improvements to stakeholders.

How to Test and Update Your Website Disaster Recovery Plan

Testing and updating your website disaster recovery plan is critical to ensuring its effectiveness in case of a disaster. Here are some steps to test and update your website disaster recovery plan:

  • Define testing objectives Define the testing objectives for each critical component, including recovery time objectives (RTO) and recovery point objectives (RPO). RTO is the maximum allowable downtime before your website is back up and running, while RPO is the maximum allowable data loss.
  • Create a test environment Create a test environment that mirrors your production environment. This environment should include all critical components of your website and third-party services.
  • Execute the test plan Execute a test plan that covers all critical components of your website. Test backup and recovery procedures, communication channels, and additional security measures.
  • Evaluate test results Evaluate the test results to determine if the recovery objectives were met. Identify any gaps or issues that need to be addressed.
  • Update the disaster recovery plan Update the disaster recovery plan based on the test results and any identified gaps or issues. Ensure that all stakeholders are aware of the changes.
  • Repeat the testing process Repeat the testing process regularly to ensure your website disaster recovery plan remains adequate and relevant.

Helpful Tools and Services for Website Disaster Recovery

acronis draas

There are several helpful tools and services available that website owners can use to ensure their disaster recovery plan is effective.

Here are a few examples:

  • Backup solutions Backup solutions like CodeGuard, Backblaze , and Carbonite can help automate backups of critical components of your website. This ensures that you always have a recent backup in case of a disaster.
  • Cloud hosting Cloud hosting solutions like AWS, Google Cloud, and Microsoft Azure offers built-in disaster recovery capabilities. These solutions replicate your website data across multiple regions or availability zones, ensuring your website can quickly recover in a disaster. Other good web hosts also tend to offer Cloud holding plans based on one or more Cloud service providers.
  • Content Delivery Network (CDN) A CDN like Cloudflare , Akamai, or Amazon CloudFront can help ensure your website remains available during a disaster. These solutions distribute your website content across multiple servers globally, reducing the load on your website servers and improving uptime.
  • Disaster Recovery as a Service (DRaaS) DRaaS solutions like Datto, Acronis, and Zerto offer comprehensive disaster recovery solutions, including backup, recovery, and failover services . These solutions can help automate your disaster recovery plan and ensure that your website is quickly back up and running in case of a disaster.
  • Website monitoring tools Website monitoring tools like Pingdom, UptimeRobot, and Site24x7 can help you proactively monitor your website and identify potential issues. These tools can alert you if your website goes down or experiences performance issues, allowing you to address them before they become a disaster.

Planning for a Website Disaster Can Help Minimize Business Impact

In this guide, we have covered the basics of disaster recovery planning for website owners, including identifying potential disasters, creating a disaster recovery checklist, testing and updating the plan, and leveraging helpful tools and services.

Businesses rely heavily on their websites for operations today, so a disaster recovery plan is critical. A website disaster can result in significant revenue loss, reputation damage, and even business closure.

Always remember that disaster recovery planning is an ongoing process and requires regular testing and updates to remain effective. Stay vigilant and proactive, and you’ll be able to protect your website and business from the impact of a disaster.

disaster recovery plan wikipedia

Cargo ship sailing

Businesses need to have a plan in place to get back on track when a disaster interrupts daily operations. Contingency plans, also known as “business continuity plans,” "emergency response plans” and “disaster recovery plans” help organizations recover after a disruption. Whether they’re preparing for a global outbreak of a deadly virus, crisis management around a data breach or simply the loss of an important client, contingency plans help organizations get back on their feet after a negative event.

Companies create many kinds of recovery strategies for everything from the merger of key competitors to the insolvency of the bank used to process its employee payroll. In India, the government was busy designing a contingency plan as a drier-than-expected monsoon season approached.¹ Meanwhile, in Hong Kong, a large bank was preparing a plan b in case a host of new sanctions were levied as the result of a recent geopolitical development.²

Here are five steps companies use to create effective business contingency plans.

Explore IBM Maximo to learn how IoT data, analytics and AI can help streamline your asset operations.

Subscribe to the IBM newsletter

The contingency planning process begins with a risk assessment to gauge the potential impact of each risk. Typically, risk analysis is conducted by business leaders and employees. Team members begin with a brainstorming session where they discuss potential risks, courses of action and the company’s overall preparedness. During this stage it’s important to be clear about the scope of the project and invite all relevant stakeholders to give input. Companies don’t need to create a risk management plan for every threat they face, just the ones deemed highly likely and with the potential to interrupt business operations.

Effective business impact analysis (BIA) is critical to understanding different business functions and how they will react to unexpected events. For example, while a shortage in micro-processors might be devastating to a part of a business that deals with the manufacture of gaming consoles, it likely will have little to no impact on the same company’s HR department.

To assess the urgency of creating an action plan for this specific threat, the company would need to know how much of its revenue was being generated from the part of the business threatened by the microprocessor shortage. If gaming consoles are a high percentage of their revenue, they’ll want to make sure they have a strong plan in place soon. A well-developed BIA helps stakeholders assess risk and better understand which parts of their business are most critical to daily operations.

After identifying the risks their company faces, determining the likelihood and severity of each risk and conducting a BIA, business leaders can follow a simple, three-step process to build their backup plan.

Identify the triggers that will set their plan into action: For example, if a hurricane is approaching, at what point does the approaching storm trigger the contingency plan? When it’s 50 miles away—100? They’ll need to make clear decisions so the teams they put in charge of execution will know when to start their work.

Design an appropriate response: The threat the business prepared for has arrived. Teams will need to know exactly what’s expected of them so the company can recover quickly. They’ll need clear, accessible instructions, protocols that are easy to follow and a way for everyone to communicate with each other.

Delegate responsibility clearly and fairly: Like any other initiative, contingency planning requires effective project management to succeed. In the case of an existential threat such as a natural disaster, everyone involved in helping the company recover needs to know their role and have received the proper training necessary to perform it. For example, in the case of a fire, it wouldn’t be fair to expect employees untrained in firefighting to pick up a hose. However, with the right training, they could conduct headcounts or go floor-to-floor to ensure other employees have evacuated.

One way to improve workflow among teams when designing a plan is to create a RACI chart. RACI stands for responsible, accountable, consulted and informed and is a widely used process to help teams and individuals delegate responsibility and react to crises in real time.

While it can be hard to justify the importance of putting financial resources into something that might never happen, these past few years have taught us the value of good contingency planning. Think of all the supply chain problems, critical shortages of personal protective equipment and financial havoc wreaked by the pandemic. What would have been different if organizations had had effective contingency plans in place for the kinds of threats they faced?

Cost and uncertainty are big barriers when it comes to convincing business leaders of the importance of making an investment in contingency planning. Since all costs for contingency plans are estimated—there’s no way of knowing precisely how events will disrupt a business—decision makers are understandably hesitant.

Different industries have different ways of approaching this problem. In the construction industry it’s common to set aside 10 percent of the overall budget of a project for contingencies. Other industries use different methods. One popular method estimates risks according to a percentage of how likely they are to occur. By this method, if there’s a 25 percent risk of an event occurring that will result in USD 200,000 in recovery costs, the company must set aside 25 percent—or USD 50,000—to be in compliance with their contingency plan.

Markets and industries are constantly shifting, so the reality that a contingency plan faces when it is triggered might be very different than the one it was created for. For example, after the 9/11 terror attacks, many of the contingency plans that the U.S. government had in place were suddenly irrelevant, because they had been prepared decades before.

To avoid a similar disconnect between plans and threats, businesses need to constantly test and reassess the plans they’ve made. For example, IBM’s guidelines mandate that plans should be tested at least once annually and improved upon as necessary.³ If new risks are discovered and their severity and likelihood is deemed high enough, the old plans might be scrapped altogether.

When businesses are hit with an unexpected disruption, a strong contingency plan gives much-needed structure to the recovery process. Disruptive events cause chaos and decision makers and employees are often left scrambling to understand what is happening and how best to respond to it. Having a strong plan to turn to can help restore confidence and show the way forward.

Here are a few benefits business leaders who create strong contingency plans can expect:

Businesses that create strong plans recover faster from a disruptive event than businesses that don’t. When a negative event occurs, the faster the business recovers and gets back to business-as-usual, the lower the risk to the company, its customers and its employees.

A good contingency plan minimizes the damage to a company—both reputational and financial. For example, while a data breach will undoubtedly damage a bank’s reputation, as well as its bottom line, how the bank responds will play a critical role in whether its customers decide to continue doing business with it.

Many organizations use a strong contingency plan to show employees and customers that they take preparation seriously. By planning for a wide range of potentially damaging events, business leaders can show investors, customers and workers that they’ve taken the necessary steps to minimize risk.

Many plans focus on natural disasters such as floods, earthquakes or fires. Others deal with data breaches, unexpected network downtime or the loss of a key employee such as a CEO or founder. Here are a few examples of contingency plan templates that deal with broadly different scenarios across a range of industries.

Severity and likelihood of risk: The manufacturers have been following the news in a region where they source specific airplane parts and have deemed the likelihood of disruption there “high.” They initially conduct a search for another supplier but quickly learn that it will take months—even years—to find one. Since the part is necessary for the construction of all their airplanes, they label the severity of this disruption “high” as well.

Trigger: Suppliers make the manufacturer aware that they will soon run out of the needed part due to a disruptive geo-political event in its country of origin.

Response: The manufacturer begins the search for a new supplier of the much-needed part in a more stable country.

Severity and likelihood of risk: The managers of a bank know of a vulnerability in their app that they are working to fix. If the app is hacked, and their information systems are compromised, they are likely to lose vital customer data. They rate the likelihood of this event as “high” since, as a financial institution, they are a desirable target. They also know from watching their competitors face similar situations that the potential for disruption to their business in an event like this is great. They rate the severity of this risk as “high” as well.

Trigger: IT makes the bank’s managers aware that the bank’s app has been hacked and their customers’ data is no longer secure.

Response: The app is immediately shut down and customers are notified that their data has been compromised. They are made aware of the steps the bank is taking to ensure that they have access to their money and that their personal information is not available to anyone on the dark web. An on-call team of security experts that has been specially trained for this scenario is brought in to restore the banks systems and secure customer information.

Severity and likelihood of risk: The plant’s managers know that severe flooding could spread un-treated water into the city’s streets and public waterways. Both the severity of this risk and its likelihood given the impending storm are deemed “high. ”

Trigger: The hurricane’s path turns towards the city and approaches to less than 100 miles away with wind speeds higher than the threshold rated “safe.” The plant’s contingency plan is put into action.

Response: All necessary workers are recalled to the plant 24/7 and measures are taken to treat as much of the water as possible before the hurricane arrives. According to their plan, whatever is left over will be pumped into holding tanks that are designed to withstand a hurricane. When windspeeds rise to a certain velocity, the plant itself is shut down and all workers evacuated.

Help your business respond quickly to changing conditions with IBM Maximo, an integrated cloud-based solution that harnesses the power of artificial intelligence (AI), Internet of Things (IoT) and advanced analytics to maximize performance and minimize costs and downtime.

Learn more about the process of disaster recovery planning and Disaster-Recovery-as-a-Service.

Discover how global supply chains responded to the COVID-19 pandemic and are developing better ways to balance efficiency and resilience.

See how businesses are leveraging AI and other emerging technologies to maintain business continuity amid disruption and uncertainty.

Explore the business continuity measures IBM takes to help prevent or reduce the impact of potential threats.

Unlock the full potential of your enterprise assets with IBM Maximo Application Suite by unifying maintenance, inspection, and reliability systems into one platform. It’s an integrated cloud-based solution that harnesses the power of AI, IoT, and advanced analytics to maximize asset performance, extend asset lifecycles, minimize operational costs and reduce downtime.

1  “ El Nino contingency plan being readied for farmers & output ” (link resides outside ibm.com) Elara Securities Pvt Ltd. April 27th, 2023

2  “ HKMA has prepared contingency plans in case of severe sanctions ” (link resides outside ibm.com) UBS Global Research and Evidence Lab, May 5th, 2022

3  “ IBM business continuity management position paper ” IBM Global Technology Services thought leadership white paper, September, 2019

Disaster recovery plan

A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster . [ 1 ] Such plan, ordinarily documented in written form, specifies procedures an organization is to follow in the event of a disaster. It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster." [ 2 ] The disaster could be natural , environmental or man-made . Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam).

Given organizations' increasing dependency on information technology to run their operations, a disaster recovery plan, sometimes erroneously called a continuity of operations plan (COOP) , is increasingly associated with the recovery of information technology data, assets, and facilities.

  • 1.1 A DR Plan illustrating the RPO and the RTO with respect to the Major Incident, MI.
  • 2 Relationship to the Business Continuity Plan
  • 4 Types of plans
  • 5.1 Natural disaster
  • 5.2 Man-made disasters
  • 6.1 Obtaining top management commitment
  • 6.2 Establishing a planning committee
  • 6.3 Performing a risk assessment
  • 6.4 Establishing priorities for processing and operations
  • 6.5 Determining recovery strategies
  • 6.6 Collecting data
  • 6.7 Organizing and documenting a written plan
  • 6.8 Developing testing criteria and procedures
  • 6.9 Testing the plan
  • 6.10 Obtaining plan approval
  • 7.1 Lack of buy-in
  • 7.2 Incomplete RTOs and RPOs
  • 7.3 Systems myopia
  • 7.4 Lax security
  • 7.5 Outdated plans
  • 8 Off-the-shelf DRP software
  • 10 References

Objectives [ edit ]

Organizations cannot always avoid disasters, but with careful planning the effects of a disaster can be minimized. The objective of a disaster recovery plan is to minimize downtime and data loss. [ 3 ] The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered unusable. The plan minimizes the disruption of operations and ensures that some level of organizational stability and an orderly recovery after a disaster will prevail. [ 2 ] Minimizing downtime and data loss is measured in terms of two concepts: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO).

The recovery time objective is the time within which a business process must be restored, after a major incident (MI) has occurred, in order to avoid unacceptable consequences associated with a break in business continuity . The recovery point objective (RPO) is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system, or network goes down as a result of a MI. The RPO is expressed backwards in time (that is, into the past) starting from the instant at which the MI occurs, and can be specified in seconds, minutes, hours, or days. [ 4 ] The recovery point objective (RPO) is thus the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations after the MI. [ 5 ]

A DR Plan illustrating the RPO and the RTO with respect to the Major Incident, MI. [ edit ]

DR Plan illustrating the RPO and the RTO with respect to the Major Incident, MI.

Relationship to the Business Continuity Plan [ edit ]

According to the SANS institute, the Business Continuity Plan (BCP) is a comprehensive organizational plan that includes the disaster recovery plan. The Institute further states that a Business Continuity Plan (BCP) consists of the five component plans: [ 6 ]

  • Business Resumption Plan
  • Occupant Emergency Plan
  • Continuity of Operations Plan
  • Incident Management Plan
  • Disaster Recovery Plan

The Institute states that the first three plans (Business Resumption, Occupant Emergency, and Continuity of Operations Plans) do not deal with the IT infrastructure. They further state that the Incident Management Plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization’s IT systems, it generally does not represent an agent for activating the Disaster Recovery Plan, leaving The Disaster Recovery Plan as the only BCP component of interest to IT. [ 6 ]

The Disaster Recovery Institute International states that disaster recovery is the area of business continuity that deals with technology recovery as opposed to the recovery of business operations. [ 7 ]

Benefits [ edit ]

Like every insurance plan, there are benefits that can be obtained from the drafting of a disaster recovery plan. Some of these benefits are: [ 2 ]

  • Providing a sense of security
  • Minimizing risk of delays
  • Guaranteeing the reliability of standby systems
  • Providing a standard for testing the plan
  • Minimizing decision-making during a disaster
  • Reducing potential legal liabilities
  • Lowering unnecessarily stressful work environment

Types of plans [ edit ]

There is no one right type of disaster recovery plan, [ 8 ] nor is there a one-size-fits-all disaster recovery plan. [ 1 ] However, there are three basic strategies that encompass a disaster recovery plan: (1) preventive measures, (2) detective measures, and (3) corrective measures. [ 9 ] Preventive measures will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. They are designed to mitigate or prevent an event from happening. These measures may include keeping data backed up and off site, using surge protectors, installing generators and conducting routine inspections. Detective measures are taken to discover the presence of any unwanted events within the IT infrastructure. Their aim is to uncover new potential threats. They may detect or uncover unwanted events. These measures include installing fire alarms, using up-to-date antivirus software, holding employee training sessions, and installing server and network monitoring software. Corrective measures are aimed to restore a system after a disaster or otherwise unwanted event takes place. These measures focus on fixing or restoring the systems after a disaster. Corrective measures may include keeping critical documents in the Disaster Recovery Plan or securing proper insurance policies , after a "lessons learned" brainstorming session. [ 1 ] [ 10 ]

A disaster recovery plan must answer at least three basic questions: (1) what is its objective and purpose, (2) who will be the people or teams who will be responsible in case any disruptions happen, and (3) what will these people do (the procedures to be followed) when the disaster strikes. [ 11 ]

Types of disasters [ edit ]

disaster recovery plan wikipedia

Disasters can be natural or man-made . Man-made disasters could be intentional (for example, sabotage or an act of terrorism ) or unintentional (that is, accidental, such as the breakage of a man-made dam). Disasters may encompass more than weather. They may involve Internet threats or take on other man-made manifestations such as theft. [ 1 ]

Natural disaster [ edit ]

A natural disaster is a major adverse event resulting from the earth's natural hazards. Examples of natural disasters are floods , tsunamis , tornadoes , hurricanes/cyclones , volcanic eruptions , earthquakes , heat waves , and landslides . Other types of disasters include the more cosmic scenario of an asteroid hitting the Earth .

Man-made disasters [ edit ]

Man-made disasters are the consequence of technological or human hazards. Examples include stampedes , urban fires , industrial accidents , oil spills , nuclear explosions / nuclear radiation and acts of war . Other types of man-made disasters include the more cosmic scenarios of catastrophic global warming , nuclear war , and bioterrorism .

The following table categorizes some disasters and notes first response initiatives. Note that whereas the sources of a disaster may be natural (for example, heavy rains) or man-made (for example, a broken dam), the results may be similar (flooding). [ 12 ]

In the realm of information technology per se, disasters may also be the result of a computer security exploit. Some of these are: computer viruses , cyberattacks , denial-of-service attacks , hacking , and malware exploits. These are ordinarily attended to by information security experts.

Planning methodology [ edit ]

According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps: [ 2 ]

Obtaining top management commitment [ edit ]

For a disaster recovery plan to be successful, the central responsibility for the plan must reside on top management . Management is responsible for coordinating the disaster recovery plan and ensuring its effectiveness within the organization. It is also responsible for allocating adequate time and resources required in the development of an effective plan. Resources that management must allocate include both financial considerations and the effort of all personnel involved.

Establishing a planning committee [ edit ]

A planning committee is appointed to oversee the development and implementation of the plan. The planning committee includes representatives from all functional areas of the organization. Key committee members customarily include the operations manager and the data processing manager. The committee also defines the scope of the plan.

Performing a risk assessment [ edit ]

The planning committee prepares a risk analysis and a business impact analysis (BIA) that includes a range of possible disasters, including natural, technical and human threats. Each functional area of the organization is analyzed to determine the potential consequence and impact associated with several disaster scenarios. The risk assessment process also evaluates the safety of critical documents and vital records. Traditionally, fire has posed the greatest threat to an organization. Intentional human destruction, however, should also be considered. A thorough plan provides for the “worst case” situation: destruction of the main building. It is important to assess the impacts and consequences resulting from loss of information and services. The planning committee also analyzes the costs related to minimizing the potential exposures.

Establishing priorities for processing and operations [ edit ]

At this point, the critical needs of each department within the organization are evaluated in order to prioritize them. Establishing priorities is important because no organization possesses infinite resources and criteria must be set as to where to allocate resources first. Some of the areas often reviewed during the prioritization process are functional operations, key personnel and their functions, information flow, processing systems used, services provided, existing documentation, historical records, and the department's policies and procedures.

Processing and operations are analyzed to determine the maximum amount of time that the department and organization can operate without each critical system. This will later get mapped into the Recovery Time Objective . A critical system is defined as that which is part of a system or procedure necessary to continue operations should a department, computer center, main facility or a combination of these be destroyed or become inaccessible. A method used to determine the critical needs of a department is to document all the functions performed by each department. Once the primary functions have been identified, the operations and processes are then ranked in order of priority: essential, important and non-essential.

Determining recovery strategies [ edit ]

During this phase, the most practical alternatives for processing in case of a disaster are researched and evaluated. All aspects of the organization are considered, including physical facilities , computer hardware and software , communications links , data files and databases , customer services provided, user operations, the overall management information systems (MIS) structure, end-user systems, and any other processing operations.

Alternatives, dependent upon the evaluation of the computer function, may include: hot sites , warm sites , cold sites , reciprocal agreements , the provision of more than one data center, the installation and deployment of multiple computer system, duplication of service center, consortium arrangements, lease of equipment, and any combinations of the above.

Written agreements for the specific recovery alternatives selected are prepared, specifying contract duration, termination conditions, system testing , cost , any special security procedures, procedure for the notification of system changes, hours of operation, the specific hardware and other equipment required for processing, personnel requirements, definition of the circumstances constituting an emergency , process to negotiate service extensions, guarantee of compatibility , availability , non-mainframe resource requirements, priorities, and other contractual issues.

Collecting data [ edit ]

In this phase, data collection takes place. Among the recommended data gathering materials and documentation often included are various lists (employee backup position listing, critical telephone numbers list, master call list, master vendor list, notification checklist), inventories (communications equipment, documentation, office equipment, forms, insurance policies , workgroup and data center computer hardware, microcomputer hardware and software, office supply , off-site storage location equipment, telephones, etc.), distribution register, software and data files backup/retention schedules, temporary location specifications, any other such other lists, materials, inventories and documentation. Pre-formatted forms are often used to facilitate the data gathering process.

Organizing and documenting a written plan [ edit ]

Next, an outline of the plan’s contents is prepared to guide the development of the detailed procedures. Top management reviews and approves the proposed plan. The outline can ultimately be used for the table of contents after final revision. Other four benefits of this approach are that (1) it helps to organize the detailed procedures, (2) identifies all major steps before the actual writing process begins, (3) identifies redundant procedures that only need to be written once, and (4) provides a road map for developing the procedures.

It is often considered best practice to develop a standard format for the disaster recovery plan so as to facilitate the writing of detailed procedures and the documentation of other information to be included in the plan later. This helps ensure that the disaster plan follows a consistent format and allows for its ongoing future maintenance. Standardization is also important if more than one person is involved in writing the procedures.

It is during this phase that the actual written plan is developed in its entirety, including all detailed procedures to be used before, during, and after a disaster. The procedures include methods for maintaining and updating the plan to reflect any significant internal, external or systems changes. The procedures allow for a regular review of the plan by key personnel within the organization. The disaster recovery plan is structured using a team approach. Specific responsibilities are assigned to the appropriate team for each functional area of the organization. Teams responsible for administrative functions, facilities , logistics , user support, computer backup , restoration and other important areas in the organization are identified.

The structure of the contingency organization may not be the same as the existing organization chart. The contingency organization is usually structured with teams responsible for major functional areas such as administrative functions, facilities, logistics, user support, computer backup, restoration, and any other important area.

The management team is especially important because it coordinates the recovery process. The team assesses the disaster, activates the recovery plan, and contacts team managers. The management team also oversees, documents and monitors the recovery process. It is helpful when management team members are the final decision-makers in setting priorities, policies and procedures. Each team has specific responsibilities that are completed to ensure successful execution of the plan. The teams have an assigned manager and an alternate in case the team manager is not available. Other team members may also have specific assignments where possible.

Developing testing criteria and procedures [ edit ]

Best practices dictate that DR plans be thoroughly tested and evaluated on a regular basis (at least annually). Thorough DR plans include documentation with the procedures for testing the plan. The tests will provide the organization with the assurance that all necessary steps are included in the plan. Other reasons for testing include:

  • Determining the feasibility and compatibility of backup facilities and procedures.
  • Identifying areas in the plan that need modification.
  • Providing training to the team managers and team members.
  • Demonstrating the ability of the organization to recover.
  • Providing motivation for maintaining and updating the disaster recovery plan.

Testing the plan [ edit ]

After testing procedures have been completed, an initial " dry run " of the plan is performed by conducting a structured walk-through test. The test will provide additional information regarding any further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments. These may not become evident unless an actual dry-run test is performed. The plan is subsequently updated to correct any problems identified during the test. Initially, testing of the plan is done in sections and after normal business hours to minimize disruptions to the overall operations of the organization. As the plan is further polished, future tests occur during normal business hours.

Types of tests include: checklist tests, simulation tests, parallel tests, and full interruption tests.

Obtaining plan approval [ edit ]

Once the disaster recovery plan has been written and tested, the plan is then submitted to management for approval. It is top management’s ultimate responsibility that the organization has a documented and tested plan. Management is responsible for (1) establishing the policies, procedures and responsibilities for comprehensive contingency planning , and (2) reviewing and approving the contingency plan annually, documenting such reviews in writing.

Organizations that receive information processing from service bureaus will, in addition, also need to (1) evaluate the adequacy of contingency plans for its service bureau, and (2)ensure that its contingency plan is compatible with its service bureau’s plan.

Caveats/controversies [ edit ]

Due to its high cost, disaster recovery plans are not without critics. Cormac Foster has identified five "common mistakes" organizations often make related to disaster recovery planning: [ 19 ]

Lack of buy-in [ edit ]

One factor is the perception by executive management that DR planning is "just another fake earthquake drill" or CEOs that fail to make DR planning and preparation a priority, are often significant contributors to the failure of a DR plan.

Incomplete RTOs and RPOs [ edit ]

Another critical point is failure to include each and every important business process or a block of data. "Every item in your DR plan requires a Recovery Time Objective (RTO) defining maximum process downtime or a Recovery Point Objective (RPO) noting an acceptable restore point. Anything less creates ripples that can extend the disaster's impact." As an example, "payroll, accounting and the weekly customer newsletter may not be mission-critical in the first 24 hours, but left alone for several days, they can become more important than any of your initial problems."

Systems myopia [ edit ]

A third point of failure involves focusing only on DR without considering the larger business continuity needs: "Data and systems restoration after a disaster are essential, but every business process in your organization will need IT support, and that support requires planning and resources." As an example, corporate office space lost to a disaster can result in an instant pool of teleworkers which, in turn, can overload a company's VPN overnight, overwork the IT support staff at the blink of an eye and cause serious bottlenecks and monopolies with the dial-in PBX system.

Lax security [ edit ]

When there is a disaster, an organization's data and business processes become vulnerable. As such, security can be more important than the raw speed involved in a disaster recovery plan's RTO. The most critical consideration then becomes securing the new data pipelines: from new VPNs to the connection from offsite backup services. Another security concern includes documenting every step of the recovery process—something that is especially important in highly regulated industries, government agencies, or in disasters requiring post-mortem forensics. Locking down or remotely wiping lost handheld devices is also an area that may require addressing.

Outdated plans [ edit ]

Another important aspect that is often overlooked involves the frequency with which DR Plans are updated. Yearly updates are recommended but some industries or organizations require more frequent updates because business processes evolve or because of quicker data growth. To stay relevant, disaster recovery plans should be an integral part of all business analysis processes, and should be revisited at every major corporate acquisition, at every new product launch and at every new system development milestone.

Off-the-shelf DRP software [ edit ]

Various vendors offer software packages that help automate the disaster recovery planning process. Kingsbridge offers the KingsBridge Shield for this purpose. It also has a module called Phoenix SharePoint that snaps into MS SharePoint to do DR planning through Microsoft's SharePoint. [ 20 ] Vision Solutions offers a product called "DoubleTake RecoverNow" that provides continuous realtime data backup, thus providing continuous data protection (CDP). [ 21 ] Erlogix has a product called Business Continuity Management System that covers the entire DRP project, from Risk Assessment and Business Impact Analysis and Interviews, through Plan Development, Implementation and Maintenance. [ 22 ] SunGard provides a product called "Continuity Management Solution" that automates the disaster recovery planning process. [ 23 ] Additionally, there are online outlets that provide templates and other disaster planning tools, which are available for free download. [ 24 ]

See also [ edit ]

  • Disaster recovery
  • Business continuity planning
  • Federal Emergency Management Agency
  • Backup rotation scheme
  • Seven tiers of disaster recovery

References [ edit ]

  • ^ a b c d Abram, Bill (14 June 2012). "5 Tips to Build an Effective Disaster Recovery Plan" . Small Business Computing . Retrieved 9 August 2012 .  
  • ^ a b c d Wold, Geoffrey H. (1997). "Disaster Recovery Planning Process" . Adapted from Volume 5 #1. Disaster Recovery World . Retrieved 8 August 2012 .  
  • ^ An Overview of the Disaster Recovery Planning Process - From Start to Finish. Comprehensive Consulting Solutions Inc. "Disaster Recovey Planning, An Overview: White Paper." March 1999. Retrieved 8 August 2012.
  • ^ Definition: Recovery point objective (RPO). Retrieved 10 August 2012.
  • ^ Recovery Point Objective (RPO): Definition - What does Recovery Point Objective (RPO) mean?. Techopedia. Janalta Interactive Inc. 2012. Retrieved 10 August 2012.
  • ^ a b The Disaster Recovery Plan. Chad Bahan. GSEC Practical Assignment version 1.4b. SANS Institute InfoSec Reading Room. June 2003. Retrieved 24 August 2012.
  • ^ Disaster Recovery Institute International. Course BCLE 2000. Participant Guide: Professional Practice 6. Page 17. 2012.
  • ^ Michigan State University: Disaster Recovery Planning - Step by Step Guide. Retrieved 8 August 2012.
  • ^ Backup Disaster Recovery. Email Archiving and Remote Backup. 2010. Retrieved 9 August 2012.
  • ^ Disaster Recovery & Business Continuity Plans. Stone Crossing Solutions. 2012. Retrieved 9 August 2012.
  • ^ Disaster Recovery – Benefits of Getting Disaster Planning Software and Template and Contracting with Companies Offering Data Disaster Recovery Plans, Solutions and Services: Why Would You Need a Disaster Recovery Plan?. Continuity Compliance. 7 June 2011. Retrieved 14 August 2012.
  • ^ Business Continuity Planning (BCP): Sample Plan For Nonprofit Organizations. Pages 11-12. Retrieved 8 August 2012.
  • ^ What should I do if there has been a bioterrorism attack?. Edmond A. Hooker. WebMD. 9 October 2007. Retrieved 18 September 2012.
  • ^ Report of the Joint Fire/Police Task Force on Civil Unrest (FA-142): Recommendations for Organization and Operations During Civil Disturbance. Page 55. FEMA. Retrieved 21 October 2012.
  • ^ Business Continuity Planning: Developing a Strategy to Minimize Risk and Maintain Operations. Adam Booher. Retrieved 19 September 2012.
  • ^ Hazardous Materials. Tennessee Emergency Management Office. Retrieved 7 September 2012.
  • ^ Managing Hazardous Materials Incidents (MHMIs). Center for Disease Control. Retrieved 7 September 2012.
  • ^ Guidelines for First Response to a CBRN Incident. Project on Minimum Standards and Non-Binding Guidelines for First Responders Regarding Planning, Training, Procedure and Equipment for Chemical, Biological, Radiological and Nuclear (CBRN) Incidents.] NATO. Emergency Management. Retrieved 21 October 2012.
  • ^ Five Mistakes That Can Kill a Disaster Recovery Plan. In archive.org Cormac Foster. Dell Corporation. 25 October 2010. Retrieved 8 August 2012.
  • ^ KingsBridge Shield: An Online Planning Tool For Business Continuity and Disaster Recovery. KingsBridge Systems. Retrieved 14 August 2012.
  • ^ DoubleTake RecoverNow (formerly, "Double-Take Backup). Vision Solutions. Retrieved 14 August 2012.
  • ^ ErLogix Business Continuity Management System and Disaster Recovery Planning Solution. ErLogix. Retrieved 14 August 2012.
  • ^ Planning & Software: The tools you need to minimize risk and ensure continuity, Business Continuity Management Software. SunGard Availability Services. Retrieved 23 August 2012.
  • ^ Disaster Recovery Plan Template: Free Tools for Disaster Preparedness Disaster Recovery Plan Template. Retrieved 7 December 2012.

disaster recovery plan wikipedia

IMAGES

  1. What a Disaster Recovery Plan (DRP) Is and How It Works

    disaster recovery plan wikipedia

  2. Disaster Recovery Plan (DRP)

    disaster recovery plan wikipedia

  3. disaster recovery

    disaster recovery plan wikipedia

  4. Seven Tips for Disaster Recovery Planning (DRP)

    disaster recovery plan wikipedia

  5. Iso 27001 Disaster Recovery Plan Template

    disaster recovery plan wikipedia

  6. MISO L008 Disaster Recovery Plan

    disaster recovery plan wikipedia

VIDEO

  1. Disaster Recovery Solutions

  2. Common Mistakes When Creating a Disaster Recovery Plan #disasterrecovery

  3. DISASTER Recovery PLAN #amazingaquarium #tropicalfish #aquariumfish #aquaria

  4. Want a Disaster Recovery Plan? We Got You Covered!

COMMENTS

  1. Disaster recovery

    Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. It employs policies, tools, and procedures.

  2. Disaster recovery and business continuity auditing

    Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, business continuity planning (BCP) involves keeping all aspects of a business functioning regardless of potential disruptive events.

  3. Business continuity planning

    A business continuity plan [10] outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP's are written ahead of time and can also include precautions to be put in place.

  4. Disaster Recovery Plan (DRP)

    A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. [1] A Disaster Recovery Plan (DRP) is a business plan that describes how work can be resumed quickly and effectively after a disaster.

  5. What is a disaster recovery plan?

    A disaster recovery plan (DRP) is a detailed document that outlines how an organization will respond to an unplanned incident. Along with business continuity plans (BCPs) and incident response plans (IRPs), DR plans help ensure businesses are prepared to face many different types of disasters, including power outages, ransomware and malware ...

  6. What is a Disaster Recovery Plan?

    Topics What is a Disaster Recovery Plan? What is a Disaster Recovery Plan? Disaster recovery (DR) is an organization's ability to restore access and functionality to IT infrastructure...

  7. What is a Disaster Recovery Plan (DRP) and How Do You Write One?

    A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan ( BCP ). It is applied to the aspects of an organization that depend on a functioning information technology (IT) infrastructure.

  8. What is a Disaster Recovery Plan? + Complete Checklist

    A disaster recovery plan (DRP) is a set of detailed, documented guidelines that outline a business' critical assets and explain how the organization will respond to unplanned incidents. Unplanned incidents or disasters typically include cyber attacks, system failures, power outages, natural disasters, equipment failures, or infrastructure ...

  9. Disaster Recovery: An Introduction

    Disaster recovery planning can dramatically reduce these risks. Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster ...

  10. What is a disaster recovery plan (DRP) and how to create one?

    A disaster recovery plan helps your IT team respond to an unplanned interruption of network services during a disaster, including voice, data, internet, etc. The plan must include procedures for recovering an organization's network operations, including local area networks (LANs), wide-area networks (WANs), and wireless networks.

  11. What is a Disaster Recovery Plan? Definition + Strategies

    A disaster recovery plan (DRP), disaster recovery implementation plan, or IT disaster recovery plan is a recorded policy and/or process that is designed to assist an organization in executing recovery processes in response to a disaster to protect business IT infrastructure and more generally promote recovery.

  12. What is Disaster Recovery?

    Disaster recovery is the process by which an organization anticipates and addresses technology-related disasters. The process of preparing for and recovering from any event that prevents a workload or system from fulfilling its business objectives in its primary deployed location, such as power outages, natural events, or security issues.

  13. What is a Disaster Recovery Plan? Importance & Benefits

    A disaster recovery plan focuses on the restoration of IT infrastructure and data following a disruptive incident. It outlines specific steps and procedures to recover critical systems, applications and data to minimize downtime and ensure operational continuity. On the other hand, a business continuity plan encompasses a broader scope beyond IT.

  14. PDF National Disaster Recovery Framework

    National Disaster Recovery Framework Second Edition June2016 National Disaster Recovery Framework i Executive Summary The National Disaster Recovery Framework(NDRF) establishes a common platform and forum for how the whole community builds, sustains, and coordinates delivery of recovery capabilities.

  15. What is business continuity disaster recovery?

    A disaster recovery plan (DRP) is a contingency plan for how an enterprise will recover from an unexpected event. Alongside business continuity plans (BCPs), DR plans help businesses navigate different disaster scenarios, such as massive outages, natural disasters, ransomware and malware attacks, and many others.

  16. What Is Disaster Recovery Plan? (A Guide For Website Owners)

    A disaster recovery plan should include response procedures for different types of disasters. This includes procedures for responding to natural disasters, cyber-attacks, and technical failures. Response procedures should outline the steps to minimize the disaster's impact and recover quickly. Testing and maintenance.

  17. What is a Disaster Recovery Plan?

    A disaster recovery plan (DR or DRP) is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The plan contains strategies to minimize the effects of a disaster, so an organization can ...

  18. National disaster recovery framework

    The National Disaster Recovery Framework ( NDRF) is a guide published by the US Government to promote effective disaster recovery in the United States, particularly for those incidents that are large-scale or catastrophic. The NDRF was released in September 2011 by the Federal Emergency Management Agency (FEMA).

  19. What is contingency planning?

    What is a contingency plan? Businesses need to have a plan in place to get back on track when a disaster interrupts daily operations. Contingency plans, also known as "business continuity plans," "emergency response plans" and "disaster recovery plans" help organizations recover after a disruption. Whether they're preparing for a ...

  20. What is Disaster Recovery in IT? Meaning, Plans & more

    At its core, a Disaster Recovery Plan (DRP) is a documented set of procedures and protocols designed to minimize data loss as well as downtime and service disruption. It also guarantees business during and after a disaster or unexpected event.

  21. Recovery plan

    Disaster recovery plan, a plan to execute an organization's disaster recovery processes, in particular business IT infrastructure, in the event of a disaster Endangered species recovery plan, protocols for protecting and enhancing rare and endangered species populations Economic recovery plans :

  22. Disaster recovery plan

    A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. [1] Such plan, ordinarily documented in written form, specifies procedures an organization is to follow in the event of a disaster. It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster."

  23. Disaster response

    Definition Disaster response refers to the actions taken directly before, during or in the immediate aftermath of a disaster. The objective is to save lives, ensure health and safety and to meet the subsistence needs of the people affected. [1] : 16