Disaster recovery plans and business continuity plans are unique to each and every company. In this article, we will walk through the purpose of these documents, their similarities and differences, the relevant controls, and common scenarios for disaster recovery.
What Is the Purpose of a DRP? How Is It Different Than a BCP, BIA, & IRP?
Before we begin, let’s walk through common acronyms that are associated with disaster recovery. There are four documents that come up in discussion when talking about preparations for disaster recovery. These are the following:
- Disaster Recovery Plan (DRP)
- Business Continuity Plan (BCP)
- Business Impact Analysis (BIA)
- Incident Response Plan (IRP)
Disaster Recovery Plan (DRP)
The primary purpose of the DRP is to minimize the duration and impact of disruption when a disaster occurs in order to safeguard the continuity of business operations. The DRP typically focuses on the information technology environment.
Business Continuity Plan (BCP)
The BCP, as outlined in our article Business Continuity Planning: Why It’s Essential for Sustainable Success is a “strategy outlining how an organization will continue to operate and provide essential services in the midst of unexpected disruptions”. The BCP typically includes measures around personnel safety, maintaining critical operations, and minimizing financial and reputational losses.
Business Impact Analysis (BIA)
The BIA predicts outcomes and consequences from a business disruption to be considered in recovery procedures. Through the identification of consequences, critical business processes can be identified. The BIA focuses on operational and financial impact to determine the order of restoration in the event of a disaster. The BIA, or a similar exercise, should be completed first in order to guide the areas of focus for your BCP and DRP.
Incident Response Plan (IRP)
The IRP is a process document that focuses on procedures to perform in the event of a probable or confirmed event that is relevant to security and availability. This may also be referred to as Incident Management. Though the IRP and DRP may both be used for the same type of incidents if they are security-related (e.g. someone inappropriately gained entry to the physical or logical environment), it is the impact and severity that differentiate which plan management will be followed.
These documents above are more so building blocks than puzzle pieces. They can be documented on their own or can be intertwined and inter-referenced.
Which Comes First – Business Continuity or Disaster Recovery? What is Their Relationship?
Disaster recovery (along with business impact and incident response) is a component of business continuity. Either plan can be developed first but both should be considered. The BCP has a broader lens in order to include the entire organization in the procedures. It includes all phases from preparedness to full business recovery after a significant event halted business operations. The DRP is zoomed in on recovery efforts of IT infrastructure to recover and restore data and technology that is critical in supporting the business.
What Are the Similarities & Differences in the Business Continuity & Disaster Recovery Processes?
Disaster recovery and business continuity will look different depending on the structure of a company. A company that is fully virtual and relies on other companies to maintain the availability of the systems will have different procedures than a company that maintains its own data center to host business operations.
Both the DRP and the BCP should include a risk assessment. The focus of the risk assessment, which can be derived or incorporated with the BIA, will include potential disasters that could impact the IT systems and therefore, the business as a whole.
Defining Critical Areas
If the BCP has not already defined the critical systems and services, the DRP should. This section of the policy should list the critical systems and the order of their priority in the recovery process. Critical systems will usually include IT infrastructure that contains client data, critical interfaces with other systems, and the build and deployment infrastructure.
Roles & Communication
Both the DRP and the BCP will include roles and responsibilities, such as information security roles and responsibilities, along with lines of communication. However, the communication process for the DRP may be different depending on the impact of the disaster. For example, the BCP may require further-reaching notifications to all customers if business operations cease.
In contrast, a DRP notification may be limited to impacted customers, if the event had limited impact. Be sure to assign ownership of communication for internal and external announcements. The identified person or team will draft internal announcements, customer-directed announcements, or public announcements. This is an urgent situation, however, there should be a review process for communications to make sure that the most accurate messaging is communicated.
Activation & Timelines
Identify who has the ability to activate the DRP and who is their backup. Additionally, what are the qualifications to activate the DPR? If an outage occurs, how long-lasting does it have to be, and how many customers need to be impacted before the DRP is activated? Establish expected timelines for how long containment, mitigation, recovery, and communication should take to accomplish.
Containment & Mitigation
Mitigating procedures will need to be performed in order to create a boundary of impact based on the type and severity of the disaster. For example, if an intruder inappropriately accessed systems and caused widespread outages across the entire company, management would need to generate logs to determine the activity of the intruder in order to see what accounts were accessed, what configurations were modified, and what changes were made to production. Management may need to reset accounts, logins, workstations, and access keys to your environment.
The recovery phase of the DRP will be unique compared to the BCP as this will be specific to the infrastructure and system’s backup and restoration procedures. A corporate data backup policy is used to determine the frequency and location of backups in order to plan recovery efforts.
- For recovery procedures in a cloud environment, management will need to ensure they are able to authenticate into the environment. Depending on the backup configurations, management will select the most recent viable snapshot in order to restore the environment and all data files, etc.
- For recovery procedures in an on-premise environment your backups may be on physical tape, disk-based, or through cloud services. If using tape backups include the expected time to obtain these when they are stored offsite. Consider if new hardware will need to be obtained if the disaster damaged the old hardware.
- For both types of backups, management should test the restored environment to ensure proper functionality, and accuracy and completeness of data. Management will also need to monitor the environments after restoration to determine if they require adjustments.
Both the DRP and BCP will assess any lessons learned after the event. This retrospective exercise for the DRP should include if policies require amendments and should revisit the steps of backup and recovery to determine if they require modifications (e.g. if backups should occur more frequently).
What Are the Types of Controls for a Disaster Recovery Plan?
There are a few controls that will be included in the SOC 2 for the DRP. The first control will be to ascertain that a DRP has been formally documented. This control may also include an element of management review to determine if management is keeping the procedures up to date. Another control is assessing management’s test of the DRP. The test will be based on the frequency upon which the company holds tests and can involve a third party to facilitate the process or it can be overseen by management. Testing the DRP is important as exercises detect if timelines are realistic and the effectiveness of procedures.
Prepare the users involved in the DRP test for what to do when the DRP is activated in a real disaster. A test of the DRP should be performed based on the risk of the company; an annual occurrence is most common. DRP test scenarios should vary in nature. When utilizing a third party to facilitate the DRP test new perspectives are gained and this can prevent similar scenarios from being reviewed each year.
What Events Does a DRP Cover?
Common DRP scenarios include:
- Severe weather (wildfire, hurricane, tornado, flooding)
- Intentional or unintentional human-caused events (physical access intruder, internal or external hacker, employee error)
- Third-party (outages or vendor becomes unavailable)
- Building & Infrastructure (power outage, network failure)
The BCP and DRP have elements of overlap but it is important to understand where they are unique in order to utilize them properly in your environment and to prepare yourself for events in the future that could impact the business. If you have questions about the DRP or BCP, or are seeking guidance on the audit process or for your upcoming SOC 1 audit or SOC 2 audit, please contact us and request a consultation.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.