Is there a written disaster recovery / business continuity plan?
Demonstrate that the organization has established, documented, and maintains a comprehensive disaster recovery and business continuity plan that defines recovery strategies, roles, objectives, and procedures for restoring critical business operations following disruptive events.
Description
What this control does
A written disaster recovery and business continuity plan (DR/BCP) is a documented set of procedures and instructions to enable critical business functions to continue during and after a disruptive incident, such as natural disasters, cyberattacks, system failures, or other catastrophic events. The plan defines recovery time objectives (RTOs), recovery point objectives (RPOs), roles and responsibilities, communication protocols, alternate processing sites, data backup and restoration procedures, and testing schedules. This control is essential because it reduces organizational exposure to extended downtime, financial losses, reputational damage, and regulatory penalties by ensuring systematic, rehearsed responses to disruptions that could otherwise permanently cripple operations.
Control objective
What auditing this proves
Demonstrate that the organization has established, documented, and maintains a comprehensive disaster recovery and business continuity plan that defines recovery strategies, roles, objectives, and procedures for restoring critical business operations following disruptive events.
Associated risks
Risks this control addresses
- Ransomware encryption of production systems causes indefinite service outages due to lack of documented recovery procedures and backup restoration processes
- Natural disasters such as floods or fires destroy primary data centers without predetermined failover procedures, resulting in total loss of business operations
- Critical personnel are unavailable during incidents and remaining staff cannot execute recovery activities due to absence of documented roles and procedures
- Extended downtime from cyberattacks or system failures exceeds acceptable business thresholds, causing revenue loss, contract breaches, and customer attrition
- Regulatory non-compliance and legal penalties arise from inability to restore services within mandated timeframes due to inadequate planning
- Data loss exceeds acceptable thresholds because recovery point objectives and backup frequencies are undefined or not aligned with business requirements
- Communication breakdowns during crises lead to uncoordinated response efforts, prolonged recovery times, and stakeholder confusion when notification protocols are absent
Testing procedure
How an auditor verifies this control
- Request and obtain the current disaster recovery and business continuity plan document including all appendices, runbooks, and supporting documentation
- Review the document to verify it includes defined recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems and business processes
- Verify that the plan identifies critical business functions, dependencies, alternate processing sites, communication trees, and escalation procedures
- Examine the documented roles and responsibilities section to confirm specific personnel assignments for activation, coordination, technical recovery, and communications during incidents
- Review the testing and maintenance schedule to confirm the plan requires periodic testing, updates following organizational changes, and post-incident reviews
- Interview the business continuity coordinator or designated owner to confirm awareness of plan contents, update procedures, and most recent revision date
- Select a sample of three critical systems from the plan and verify that documented recovery procedures include step-by-step technical instructions, access credentials location, and vendor contact information
- Examine records of the most recent DR/BCP test or exercise to validate that the plan has been tested within the past 12 months and gaps identified were remediated