15 Factors Every Disaster Recovery Audit Must Include

If the disaster recovery strategy at your business includes “set it and forget it,” you’re not alone. Only 40% of companies test their disaster recovery plans once a year, and more than 25% of organizations test “rarely or never.”

This is a problem for a variety of reasons: your business changes, the threat landscape changes, available solutions change, your IT infrastructure changes, personnel change – in short, you’re facing a dynamic landscape that never stands still, even if your disaster recovery plan does.

The solution? Audit your disaster recovery plan thoroughly and regularly to test for performance, efficiency, cost and overall effectiveness.

15 Factors To Include In Your Disaster Recovery Audit

The first step to auditing your disaster recovery plan, of course, is to have a disaster recovery plan. This isn’t as obvious as it sounds; 75% of small businesses don’t have a disaster recovery plan in place, and their larger counterparts don’t fare much better. If you’re just getting started, or undertaking a significant upgrade, check out our recent blog post, “How to Create or Refresh a Successful Disaster Recovery Strategy,” for a how-to guide to the process.

Assuming you have a plan in place, the audit will reveal any gaps in your planning. It evaluates the people, process and technology components of your plan to assess the likelihood that they will effectively protect your assets in a real emergency.
A comprehensive audit should consider these 15 factors:

• Disaster recovery objectives, mission statement and policies
• How recently you updated your written disaster recovery plan
• Your designated hot and/or cold sites
• The ability to recover data and systems
• Processes for frequent, consistent backup of systems and data
• Tests and drills of disaster procedures
• Data and system backups stored offsite or in the cloud
• Relevancy and currency of disaster recovery personnel, like the committee and chairperson, plus any backups
• Facility practices, like visibly listed emergency telephone numbers
  Insurance
• Procedures and tools for effective communication, such as emergency notification systems
• Updated and validated system and operational documentation
• Emergency procedures for people and facilities as well as IT assets
• Hardware and software vendor lists, including contractual agreements like SLAs
• Workflows for both manual and automated procedures

All of these elements should be examined biannually to account for changes in staff, systems and any new threats. Ideally, your disaster recovery plan will be updated as those changes occur; if you deploy a new software solution, for example, its relevant disaster recovery procedures should be added to the plan as part of implementation. But there will always be things that are overlooked, so an annual audit catches any adjustments that may have fallen through the cracks.

It’s also important to consider the accessibility of the disaster recovery plan itself. If your systems go down, will administrators and employees be able to find and act on your plan? Documents released by the Michigan Department of Technology show that they learned this lesson the hard way: they stored their plan on the same network that it was meant to restore, so when the network went down, the plan went with it. Make sure to backup your disaster recovery plan both electronically, in multiple places, and in hard copies at your physical locations.

Additional Considerations For A Successful Disaster Recovery Audit

While auditing and testing your disaster recovery plan can admittedly be time-consuming, it’s worth it to be prepared when disaster strikes. It’s important to make sure that it not only works, but covers all the mission-critical areas in a cost-effective way.

Many disaster recovery solutions, for instance, are moving to the cloud with DRaaS offerings and more. These tools are more cost-effective, scalable and provide most, if not all, of the services you need “baked into” the platform.

Don’t forget to audit the tools that complement your primary disaster recovery solution as well. The best prepared organizations run an emergency notification system (ENS) alongside their DR stack to ensure the safety and productivity of their employees and further bolster their business continuity capabilities. An ENS can play a critical role during an emergency, but many products suffer from the same bloat that infects other types of software: increasing costs for decreasing value.

Evaluate your emergency notification system alongside your disaster recovery plan to make sure that it, too, works as needed.

Regularly auditing and testing your disaster recovery plan can mean the difference between a fast recovery with minimal impact and hours – or days – of expensive, damaging downtime. Keep your plan up-to-date by auditing it biannually against the full list of criteria to make sure your plan does its job when you need it most.
How confident are you in your organization’s disaster recovery plan? Learn how to prepare your business for any emergency.