- Disaster recovery planning and management
disaster recovery plan (DRP)
- Paul Crocetti, Senior Site Editor
What is a disaster recovery plan (DRP)?
A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan ( BCP ). It is applied to the aspects of an organization that depend on a functioning information technology (IT) infrastructure. A DRP aims to help an organization resolve data loss and recover system functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal level.
The plan consists of steps to minimize the effects of a disaster so the organization can continue to operate or quickly resume mission-critical functions. Typically, a DRP involves an analysis of business processes and continuity needs. Before generating a detailed plan, an organization often performs a business impact analysis ( BIA ) and risk analysis ( RA ), and it establishes recovery objectives.
As cybercrime and security breaches become more sophisticated, it is important for an organization to define its data recovery and protection strategies. The ability to quickly handle incidents can reduce downtime and minimize financial and reputational damages. DRPs also help organizations meet compliance requirements, while providing a clear roadmap to recovery.
Some types of disasters that organizations can plan for include the following:
- application failure
- communication failure
- power outage
- natural disaster
- malware or other cyber attack
- data center disaster
- building disaster
- campus disaster
- citywide disaster
- regional disaster
- national disaster
- multinational disaster
Recovery plan considerations
When disaster strikes, the recovery strategy should start at the business level to determine which applications are most important to running the organization. The recovery time objective ( RTO ) describes the amount of time critical applications can be down, typically measured in hours, minutes or seconds. The recovery point objective ( RPO ) describes the age of files that must be recovered from data backup storage for normal operations to resume.
This article is part of
What is BCDR? Business continuity and disaster recovery guide
- Which also includes:
- Business resilience vs. business continuity: Key differences
- A free business continuity plan template and guide
- Preparing an annual schedule of business continuity activities
Download this entire guide for FREE now!
Recovery strategies define an organization's plans for responding to an incident, while disaster recovery plans describe how the organization should respond. Recovery plans are derived from recovery strategies.
In determining a recovery strategy, organizations should consider such issues as the following:
- insurance coverage
- resources -- people and physical facilities
- management team's position on risks
- data and data storage
- compliance requirements
Management approval of recovery strategies is important. All strategies should align with the organization's goals. Once DR strategies have been developed and approved, they can be translated into disaster recovery plans.
Types of disaster recovery plans
DRPs can be tailored for a given environment. Some specific types of plans include the following:
- Virtualized disaster recovery plan. Virtualization provides opportunities to implement DR in a more efficient and simpler way. A virtualized environment can spin up new virtual machine instances within minutes and provide application recovery through high availability . Testing is also easier, but the plan must validate that applications can be run in DR mode and returned to normal operations within the RPO and RTO.
- Network disaster recovery plan. Developing a plan for recovering a network gets more complicated as the complexity of the network increases. It is important to provide a detailed, step-by-step recovery procedure; test it properly; and keep it updated. The plan should include information specific to the network, such as in its performance and networking staff.
- Cloud disaster recovery plan. Cloud DR can range from file backup procedures in the cloud to a complete replication. Cloud DR can be space-, time- and cost-efficient, but maintaining the disaster recovery plan requires proper management. The manager must know the location of physical and virtual servers . The plan must address security, which is a common issue in the cloud that can be alleviated through testing.
- Data center disaster recovery plan. This type of plan focuses exclusively on the data center facility and infrastructure. An operational risk assessment is a key part of a data center DRP. It analyzes key components, such as building location, power systems and protection, security and office space. The plan must address a broad range of possible scenarios.
Scope and objectives of DR planning
The main objective of a DRP is to minimize negative effects of an incident on business operations. A disaster recovery plan can range in scope from basic to comprehensive. Some DRPs can be as much as 100 pages long.
DR budgets vary greatly and fluctuate over time. Organizations can take advantage of free resources, such as online DRP templates, like the SearchDisasterRecovery template below.
Several organizations, such as the Business Continuity Institute and Disaster Recovery Institute International, also provide free information and online content how-to articles.
An IT disaster recovery plan checklist typically includes the following:
- critical systems and networks it covers;
- staff members responsible for those systems and networks;
- RTO and RPO information;
- steps to restart, reconfigure, and recover systems and networks; and
- other emergency steps required in the event of an unforeseen incident.
The location of a disaster recovery site should be carefully considered in a DRP. Distance is an important, but often overlooked, element of the DRP process. An off-site location that is close to the primary data center may seem ideal -- in terms of cost, convenience, bandwidth and testing. However, outages differ greatly in scope. A severe regional event can destroy the primary data center and its DR site if the two are located too close together.
How to build a disaster recovery plan
The disaster recovery plan process involves more than simply writing the document. Before writing the DRP, a risk analysis and business impact analysis can help determine where to focus resources in the disaster recovery process.
The BIA identifies the impacts of disruptive events and is the starting point for identifying risk within the context of DR. It also generates the RTO and RPO. The RA identifies threats and vulnerabilities that could disrupt the operation of systems and processes highlighted in the BIA.
The RA assesses the likelihood of a disruptive event and outlines its potential severity.
A DRP checklist should include the following steps:
- establishing the range or extent of necessary treatment and activity -- the scope of recovery;
- gathering relevant network infrastructure documents;
- identifying the most serious threats and vulnerabilities, as well as the most critical assets;
- reviewing the history of unplanned incidents and outages, as well as how they were handled;
- identifying the current disaster recovery procedures and DR strategies;
- identifying the incident response team ;
- having management review and approve the DRP;
- testing the plan;
- updating the plan; and
- implementing a DRP or BCP audit .
Disaster recovery plans are living documents. Involving employees -- from management to entry-level -- increases the value of the plan.
Another component of the DRP is the communication plan . This strategy should detail how both internal and external crisis communication will be handled. Internal communication includes alerts that can be sent using email, overhead building paging systems, voice messages and text messages to mobile devices. Examples of internal communication include instructions to evacuate the building and meet at designated places, updates on the progress of the situation and notices when it's safe to return to the building.
External communications are even more essential to the BCP and include instructions on how to notify family members in the case of injury or death; how to inform and update key clients and stakeholders on the status of the disaster; and how to discuss disasters with the media.
Disaster recovery plan template
An organization can begin its DRP with a summary of vital action steps and a list of important contact information. That makes the most essential information quickly and easily accessible.
The plan should define the roles and responsibilities of disaster recovery team members and outline the criteria to launch the plan into action. The plan should specify, in detail, the incident response and recovery activities.
Get help putting together your disaster recovery plan with SearchDisasterRecovery's free, downloadable IT disaster recovery plan template .
Other important elements of a disaster recovery plan template include the following:
- a statement of intent and a DR policy statement;
- plan goals;
- authentication tools, such as passwords;
- geographical risks and factors;
- tips for dealing with media;
- financial and legal information and action steps; and
- a plan history.
Testing your disaster recovery plan
DRPs are substantiated through testing to identify deficiencies and provide opportunities to fix problems before a disaster occurs. Testing can offer proof that the emergency response plan is effective and hits RPOs and RTOs. Since IT systems and technologies are constantly changing, DR testing also helps ensure a disaster recovery plan is up to date.
Reasons given for not testing DRPs include budget restrictions, resource constraints and a lack of management approval. DR testing takes time, resources and planning. It can also be risky if the test involves using live data.
Build and execute your own disaster recover tests using SearchDisasterRecovery's free, downloadable business continuity testing template .
DR testing varies in complexity. In a plan review, a detailed discussion of the DRP looks for missing elements and inconsistencies. In a tabletop test, participants walk through plan activities step by step to demonstrate whether DR team members know their duties in an emergency. A simulation test uses resources such as recovery sites and backup systems in what is essentially a full-scale test without an actual failover .
Incident management plan vs. disaster recovery plan
An incident management plan ( IMP ) -- or incident response plan -- should also be incorporated into the DRP; together, the two create a comprehensive data protection strategy. The goal of both plans is to minimize the impact of an unexpected incident, recover from it and return the organization to its normal production levels as fast as possible. However, IMPs and DRPs are not the same.
The major difference between an incident management plan and a disaster recovery plan is their primary objectives. An IMP focuses on protecting sensitive data during an event and defines the scope of actions to be taken during the incident, including the specific roles and responsibilities of the incident response team.
In contrast, a DRP focuses on defining the recovery objectives and the steps that must be taken to bring the organization back to an operational state after an incident occurs.
Learn what it takes to develop a disaster recovery plan that considers the cloud and cloud services.
Continue Reading About disaster recovery plan (DRP)
- 10 steps for optimal IT disaster recovery plan design
- 4 components of a disaster recovery plan to prepare for a crisis
- 6 steps to a successful network disaster recovery plan
- What to include in a disaster recovery testing plan
Related Terms
Dig deeper on disaster recovery planning and management.
virtual disaster recovery
business impact analysis (BIA)
Cloud-era disaster recovery planning: Maintenance and continuous improvement
A new SaaS backup specialist emerges from stealth to protect data in apps such as Trello, GitHub and GitLab, which CEO Rob ...
A growing number of enterprise Kubernetes users presents an opportunity for CloudCasa, currently a division of Catalogic, with ...
Organizations with SaaS-based applications are still relying on the providers for data protection, even though the vendors are ...
Pure Storage expanded its storage offerings with FlashBlade//E designed for the unstructured data market with an acquisition cost...
Data governance manages the availability, usability, integrity and security of data. Follow these best practices for governance ...
Vast Data Universal Storage brought out data services, including set performance, metadata cataloging, better security, container...
An incident response program ensures security events are addressed quickly and effectively as soon as they occur. These best ...
The Biden-Harris administration's 39-page National Cybersecurity Strategy covers multiple areas, including disrupting ransomware ...
While ransomware incidents appear to be decreasing, several high-profile organizations, including Dole, Dish Network and the U.S....
Public, private, hybrid or consortium, each blockchain network has distinct pluses and minuses that largely drive its ideal uses ...
Get the lowdown on the major features, differentiators, strengths and weaknesses of the blockchain platforms getting the most ...
The 2023 trends that are reshaping the risk management landscape include GRC platforms, maturity frameworks, risk appetite ...
Disaster recovery (DR) consists of IT technologies and best practices designed to prevent or minimize data loss and business disruption resulting from catastrophic events—everything from equipment failures and localized power outages to cyberattacks, civil emergencies, criminal or military attacks, and natural disasters.
Many businesses—especially small- and mid-sized organizations—neglect to develop a reliable, practicable disaster recovery plan. Without such a plan, they have little protection from the impact of significantly disruptive events.
Infrastructure failure can cost as much as USD 100,000 per hour (link resides outside IBM), and critical application failure costs can range from USD 500,000 to USD 1 million per hour. Many businesses cannot recover from such losses. More than 40% of small businesses will not re-open after experiencing a disaster, and among those that do, an additional 25% will fail within the first year after the crisis. Disaster recovery planning can dramatically reduce these risks.
Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.
Disaster recovery also involves ensuring that adequate storage and compute is available to maintain robust failover and failback procedures. Failover is the process of offloading workloads to backup systems so that production processes and end-user experiences are disrupted as little as possible. Failback involves switching back to the original primary systems.
Read our article to learn more information about the important distinction between backup and disaster recovery planning .
Business continuity planning creates systems and processes to ensure that all areas of your enterprise will be able to maintain essential operations or be able to resume them as quickly as possible in the event of a crisis or emergency. Disaster recovery planning is the subset of business continuity planning that focuses on recovering IT infrastructure and systems.
Business impact analysis
The creation of a comprehensive disaster recovery plan begins with business impact analysis. When performing this analysis, you’ll create a series of detailed disaster scenarios that can then be used to predict the size and scope of the losses you’d incur if certain business processes were disrupted. What if your customer service call center was destroyed by fire, for instance? Or an earthquake struck your headquarters?
This will allow you to identify the areas and functions of the business that are the most critical and enable you to determine how much downtime each of these critical functions could tolerate. With this information in hand, you can begin to create a plan for how the most critical operations could be maintained in various scenarios.
IT disaster recovery planning should follow from and support business continuity planning. If, for instance, your business continuity plan calls for customer service representatives to work from home in the aftermath of a call center fire, what types of hardware, software, and IT resources would need to be available to support that plan?
Risk analysis
Assessing the likelihood and potential consequences of the risks your business faces is also an essential component of disaster recovery planning. As cyberattacks and ransomware become more prevalent, it’s critical to understand the general cybersecurity risks that all enterprises confront today as well as the risks that are specific to your industry and geographical location.
For a variety of scenarios, including natural disasters, equipment failure, insider threats, sabotage, and employee errors, you’ll want to evaluate your risks and consider the overall impact on your business. Ask yourself the following questions:
- What financial losses due to missed sales opportunities or disruptions to revenue-generating activities would you incur?
- What kinds of damage would your brand’s reputation undergo? How would customer satisfaction be impacted?
- How would employee productivity be impacted? How many labor hours might be lost?
- What risks might the incident pose to human health or safety?
- Would progress towards any business initiatives or goals be impacted? How?
Prioritizing applications
Not all workloads are equally critical to your business’s ability to maintain operations, and downtime is far more tolerable for some applications than it is for others. Separate your systems and applications into three tiers, depending on how long you could stand to have them be down and how serious the consequences of data loss would be.
- Mission-critical: Applications whose functioning is essential to your business’s survival.
- Important: Applications for which you could tolerate relatively short periods of downtime.
- Non-essential: Applications you could temporarily replace with manual processes or do without.
Documenting dependencies
The next step in disaster recovery planning is creating a complete inventory of your hardware and software assets. It’s essential to understand critical application interdependencies at this stage. If one software application goes down, which others will be affected?
Designing resiliency—and disaster recovery models—into systems as they are initially built is the best way to manage application interdependencies. It’s all too common in today’s microservices -based architectures to discover processes that can’t be initiated when other systems or processes are down, and vice versa. This is a challenging situation to recover from, and it’s vital to uncover such problems when you have time to develop alternate plans for your systems and processes—before an actual disaster strikes.
Establishing recovery time objectives, recovery point objectives, and recovery consistency objectives
By considering your risk and business impact analyses, you should be able to establish objectives for how long you’d need it to take to bring systems back up, how much data you could stand to use, and how much data corruption or deviation you could tolerate.
Your recovery time objective (RTO) is the maximum amount of time it should take to restore application or system functioning following a service disruption.
Your recovery point objective (RPO) is the maximum age of the data that must be recovered in order for your business to resume regular operations. For some businesses, losing even a few minutes’ worth of data can be catastrophic, while those in other industries may be able to tolerate longer windows.
A recovery consistency objective (RCO) is established in the service-level agreement (SLA) for continuous data protection services. It is a metric that indicates how many inconsistent entries in business data from recovered processes or systems are tolerable in disaster recovery situations, describing business data integrity across complex application environments.
Regulatory compliance issues
All disaster recovery software and solutions that your enterprise have established must satisfy any data protection and security requirements that you’re mandated to adhere to. This means that all data backup and failover systems must be designed to meet the same standards for ensuring data confidentiality and integrity as your primary systems.
At the same time, several regulatory standards stipulate that all businesses must maintain disaster recovery and/or business continuity plans. The Sarbanes-Oxley Act (SOX), for instance, requires all publicly held firms in the U.S. to maintain copies of all business records for a minimum of five years. Failure to comply with this regulation (including neglecting to establish and test appropriate data backup systems) can result in significant financial penalties for companies and even jail time for their leaders.
Choosing technologies
Backups serve as the foundation upon which any solid disaster recovery plan is built. In the past, most enterprises relied on tape and spinning disks (HDD) for backups, maintaining multiple copies of their data and storing at least one at an offsite location.
In today’s always-on digitally transforming world, tape backups in offsite repositories often cannot achieve the RTOs necessary to maintain business-critical operations. Architecting your own disaster recovery solution involves replicating many of the capabilities of your production environment and will require you to incur costs for support staff, administration, facilities, and infrastructure. For this reason, many organizations are turning to cloud-based backup solutions or full-scale Disaster-Recovery-as-a-Service (DRaaS) providers.
Choosing recovery site locations
Building your own disaster recovery data center involves balancing several competing objectives. On the one hand, a copy of your data should be stored somewhere that’s geographically distant enough from your headquarters or office locations that it won’t be affected by the same seismic events, environmental threats, or other hazards as your main site. On the other hand, backups stored offsite always take longer to restore from than those located on-premises at the primary site, and network latency can be even greater across longer distances.
Continuous testing and review
Simply put, if your disaster recovery plan has not been tested, it cannot be relied upon. All employees with relevant responsibilities should participate in the disaster recovery test exercise, which may include maintaining operations from the failover site for a period of time.
If performing comprehensive disaster recovery testing is outside your budget or capabilities, you can also schedule a “tabletop exercise” walkthrough of the test procedures, though you should be aware that this kind of testing is less likely to reveal anomalies or weaknesses in your DR procedures—especially the presence of previously undiscovered application interdependencies—than a full test.
As your hardware and software assets change over time, you’ll want to be sure that your disaster recovery plan gets updated as well. You’ll want to periodically review and revise the plan on an ongoing basis.
The IBM Knowledge Center provides an example of a disaster recovery plan .
Disaster-Recovery-as-a-Service (DRaaS) is one of the most popular and fast-growing managed IT service offerings available today. Your vendor will document RTOs and RPOs in a service-level agreement (SLA) that outlines your downtime limits and application recovery expectations.
DRaaS vendors typically provide cloud-based failover environments. This model offers significant cost savings compared with maintaining redundant dedicated hardware resources in your own data center. Contracts are available in which you pay a fee for maintaining failover capabilities plus the per-use costs of the resources consumed in a disaster recovery situation. Your vendor will typically assume all responsibility for configuring and maintaining the failover environment.
Disaster recovery service offerings differ from vendor to vendor. Some vendors define their offering as a comprehensive, all-in-one solution, while others offer piecemeal services ranging from single application restoration to full data center replication in the cloud. Some offerings may include disaster recovery planning or testing services, while others will charge an additional consulting fee for these offerings.
Be sure that any enterprise software applications you rely on are supported, as are any public cloud providers that you’re working with. You’ll also want to ensure that application performance is satisfactory in the failover environment, and that the failover and failback procedures have been well tested.
If you have already built an on-premises disaster recovery (DR) solution, it can be challenging to evaluate the costs and benefits of maintaining it versus moving to a monthly DRaaS subscription instead.
Most on-premises DR solutions will incur costs for hardware, power, labor for maintenance and administration, software, and network connectivity. In addition to the upfront capital expenditures involved in the initial setup of your DR environment, you’ll need to budget for regular software upgrades. Because your DR solution must remain compatible with your primary production environment, you’ll want to ensure that your DR solution has the same software versions. Depending upon the specifics of your licensing agreement, this might effectively double your software costs.
Not only can moving to a DRaaS subscription reduce your hardware and software expenditures, it can lower your labor costs by moving the burden of maintaining the failover site to the vendor.
If you’re considering third-party DRaaS solutions, you’ll want to make sure that the vendor has the capacity for cross-regional multi-site backups. If a significant weather event like a hurricane impacted your primary office location, would the failover site be far enough away to remain unaffected by the storm? Also, would the vendor have adequate capacity to meet the combined needs of all its customers in your area if many were impacted at the same time? You’re trusting your DRaaS vendor to meet RTOs and RPOs in times of crisis, so look for a service provider with a strong reputation for reliability.
Read “ Disaster Recovery as a Service (DRaaS) vs. Disaster Recovery (DR): Which Do You Need? ” for a comparative overview of both solutions.
Related solutions
Cloud disaster recovery solutions.
Protect your data with a cloud disaster recovery plan.
- Explore cloud disaster recovery solutions
Zerto on IBM Cloud
Achieve RPO in seconds and RTO in minutes, with an easy-to-deploy and scalable data-protection solution.
- Explore Zerto on IBM Cloud
IBM Cloud global data centers
Run smoother with deployment options for every workload. Our network is resilient, redundant, highly available.
- Explore IBM Cloud global data centers
Gain the skills and knowledge required to begin a career as an IBM Cloud Professional Architect. Validate your capabilities in an interactive curriculum that prepares you for IBM Cloud certification.
Learn the basics of backup and disaster recovery so you can formulate effective plans that minimize downtime.
Compare the costs, benefits, and functionality of on-premises disaster recovery solutions and DRaaS.
- Recent changes
- Random page
- Help about MediaWiki
- What links here
- Related changes
- Special pages
- Printable version
- Permanent link
- Page information
- View source
Disaster Recovery Plan (DRP)
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. [1]
A Disaster Recovery Plan (DRP) is a business plan that describes how work can be resumed quickly and effectively after a disaster. Disaster recovery planning is just part of business continuity planning and is applied to aspects of an organization that rely on an IT infrastructure to function. The overall idea is to develop a plan that will allow the IT department to recover enough data and system functionality to allow a business or organization to operate - even possibly at a minimal level. The creation of a DRP begins with a DRP proposal to achieve upper-level management support. Then a business impact analysis (BIA) is needed to determine which business functions are the most critical and the requirements to get the IT components of those functions operational again after a disaster, either on-site or off-site. [2]
Types of Disaster Recovery Plan (DRP) [4] There is no one right type of disaster recovery plan, nor is there a one-size-fits-all disaster recovery plan. However, there are three basic strategies that feature in all disaster recovery plans: (1) preventive measures, (2) detective measures, and (3) corrective measures. Preventive measures will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. They are designed to mitigate or prevent an event from happening. These measures may include keeping data backed up and off-site, using surge protectors, installing generators, and conducting routine inspections. Detective measures are taken to discover the presence of any unwanted events within the IT infrastructure. Their aim is to uncover new potential threats. They may detect or uncover unwanted events. These measures include installing fire alarms, using up-to-date antivirus software, holding employee training sessions, and installing server and network monitoring software. Corrective measures are aimed to restore a system after a disaster or otherwise unwanted event takes place. These measures focus on fixing or restoring the systems after a disaster. Corrective measures may include keeping critical documents in the Disaster Recovery Plan or securing proper insurance policies after a "lessons learned" brainstorming session. A disaster recovery plan must answer at least three basic questions: (1) what is its objective and purpose, (2) who will be the people or teams who will be responsible in case any disruptions happen, and (3) what will these people do (the procedures to be followed) when the disaster strikes.
Stages of a Disaster Recovery Plan [5] The goal of a DRP is to resume normal computing capabilities in as little time as possible. A typical DRP has several stages, including the following:
- Understanding an organization's activities and how all of its resources are interconnected.
- Assessing an organization's vulnerability in all areas, including operating procedures, physical space and equipment, data integrity and contingency planning.
- Understanding how all levels of the organization would be affected in the event of a disaster.
- Developing a short-term recovery plan.
- Developing a long-term recovery plan, including how to return to normal business operations and prioritizing the order of functions that are resumed.
- Testing and consistently maintaining and updating the plan as the business changes.
Phases in Developing an Effective Disaster Recovery Plan (DRP) [6]
- Business Impact Analysis (BIA): Performing a careful and complete Business Impact Analysis (BIA) is critical to developing an effective Disaster Recovery Plan. During this phase, system requirements, functions, and interdependencies are analyzed — the results are then used to identify system contingencies as well as set priorities. The Business Impact Analysis drives the Disaster Recovery Plan by identifying the applications and systems that will significantly impact the business in the event of a disaster. During this phase, it is vital that input be obtained from departments across the enterprise, from Human Resources and Customer Service, to Information Technology and Accounting . In addition to using this information gathering to define critical time frame, the BIA is also an effective strategy to educate the enterprise on the need for a Disaster Recovery Plan and to identify any alternative manual procedures that could potentially minimize the impact of an interruption in system availability.
- Defining RPO and RTO: Critical to BIA is determining the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) . The RPO is the point in time to which data must be recovered; the RTO is the overall length of time an IT component can be in recovery before it negatively impacts critical business processes. The analysis is important because different applications and IT components will have different RPOs and RTOs. For example, an application that supports a mission -critical application, such as customer order processing, may have a short RPO/RTO, while an application that runs an internal, non-customer facing of low import may have a much longer RPO/RTO.
- Architecting Your Recovery Strategies Developing a solid Disaster Recovery strategy requires a comprehensive approach. Key items that need to be considered include network requirements, infrastructure needs, data recovery, data and record management, security, and compliance . After the critical applications and data recovery objectives are identified, the company needs to architect the specific strategies and solutions to make sure the recovery objectives for applications, network, and data are restored in the appropriate timeframes. Meeting these recovery objectives may involve deploying new architecture , tools, and infrastructure internally or with the assistance of an external service provider. Options to be considered include electronic vaulting, tape retention, or a dual data center approach.
- Testing and Training: Performing thorough analysis and developing sound recovery strategies are critical to a solid Disaster Recovery Plan; however, testing the plan and training staff on executing the plan is vital to successful DR planning. The only way to validate that your plan will work is to test the plan on a regular basis and put a function in place to ensure it is updated to reflect changes in the environment. There are various levels of testing, with varying degrees of involvement - from a structured walk-through with key technical resources verbally assessing the plan, to simulation testing where a disaster is simulated so the plan can be implemented, to full interruption testing, in which the disaster recovery plan is activated in total. The organization needs to establish the testing required to effectively assess the validity of the plan. In tandem with testing the plan is the need to train assigned personnel both on their roles in the disaster recovery scenario and on the broader content of the plan itself. Like testing, the organization needs to regularly revisit the training plan to address the organizational changes, new hires, and attrition that are inevitable.
- Communication Plan and Role Assignments: When it comes to a disaster, communication is of the essence. A plan is essential because it puts all employees on the same page and ensures clearly outlines all communication. Documents should have all updated employee contact information and employees should understand exactly what their role is in the days following the disaster. Assignments like setting up workstations, assessing damage, redirecting phones and other tasks will need assignments if you don’t have some sort of technical resource to help you sort through everything.
- Plan For Your Equipment: It’s important you have a plan for how to protect your equipment when a major storm is approaching. You’ll need to get all equipment off the floor, moved into a room with no windows, and wrapped securely in plastic to ensure that no water can get to the equipment. It’s obviously best to completely seal equipment to keep it safe from flooding, but sometimes in cases of extreme flooding, this isn’t an option.
- Data Continuity System: As you create your disaster recovery plan, you’ll want to explore exactly what your business requires in order to run. You need to understand exactly what your organization needs operationally, and financially, with regard to supplies, and with communications. Whether you’re a large consumer business that needs to fulfill shipments and communicate with its customers about those shipments or a small business-to-business organization with multiple employees – you should document what your needs are so that you can make the plans for backup, business continuity, and have a full understanding of the needs and logistics surrounding those plans.
- Backup check: Make sure that your backup is running and include running an additional full local backup on all servers and data in your disaster preparation plan. Run them as far in advance as possible and make sure that they’re backed up to a location that will not be impacted by the disaster. It is also prudent to place that backup on an external hard drive that you can take with you offsite, just as an additional measure should anything happen.
- Detailed Asset Inventory: In your disaster preparation plan, you should have a detailed inventory of workstations, their components, servers, printers, scanners, phones, tablets, and other technologies that you and your employees use on a daily basis. This will give you a quick reference for insurance claims after a major disaster by providing your adjuster with a simple list (with photos) of any inventory you have.
- Pictures Of the Office and Equipment (before and after prep): In addition to the photos that you should have of individual inventory items, you’ll want to take photos of the office and your equipment to prove that those items were actively in use by your employees and that you took the necessary diligence to move your equipment out of harm's way to prepare for the storm.
- Vendor Communication and Service Restoration Plan: After a storm passes, you’ll want to begin running as quickly as possible. Make sure that you include vendor communication as part of your plan. Check with your local power provider to assess the likelihood of power surges or outages while damage is repaired in the area. You’ll also want to include checking with your phone and internet providers on restoration and access.
Testing Criteria and Procedures for Disaster Recovery Plans [8] Best practices dictate that DR plans be thoroughly tested and evaluated on a regular basis (at least annually). Thorough DR plans include documentation with the procedures for testing the plan. The tests will provide the organization with the assurance that all necessary steps are included in the plan. Other reasons for testing include:
- Determining the feasibility and compatibility of backup facilities and procedures.
- Identifying areas in the plan that need modification.
- Providing training to the team managers and team members.
- Demonstrating the ability of the organization to recover.
- Providing motivation for maintaining and updating the disaster recovery plan.
Reviewing a Disaster Recovery Plan [9] The National Institute of Standards and Technology (NIST) is a good resource for standards and guidelines to help businesses build a solid IT recovery plan. In its Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, recommendations are outlined to help organizations systematically review their plans to identify gaps that need to be addressed. There are three common ways to review a plan:
- Testing the system. An organization can test the system. Tests often focus on recovery and backup operations. An example would be removing power from a system to evaluate how quickly the organization can recover.
- Conducting a tabletop exercise. These are discussion-based exercises where a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.
- Conducting a functional exercise. This allow staff to execute their roles and responsibilities as they would in an actual emergency situation, but in a simulated manner. The goal is to exercise the roles and responsibilities of specific team members, procedures and assets involved in one of more aspects of the recovery plan.
Disaster Recovery Plan Mistakes to Avoid (See Figure Below) [10] 1. Not Updating Your DRBC Plan: Many businesses will create a recovery plan and put it on the shelf to gather dust. This is a crucial mistake that should be avoided at all costs. Businesses experience turnover and the names and responsibilities on the plan will change. If the employee assigned to a task leaves your company and a new employee is not assigned to that task when disaster strikes nobody will do the task. The best practice would be to update your plan a minimum of once a year. 2. Having Only One Person Creating The DR Plan: Once you begin creating a DR plan you will realize how complex and time intensive it can be. There are many levels and facets to a great DR plan. You need the input of various employees from different departments in your organization to insure you have considered every contingency. Create a Disaster Recovery (DR) plan team that can work together and separately on creating the entire plan. 3. Thinking Your Insurance Policy and DR Plan Are The Same Thing: Having good insurance is a vital part of your DR Plan but it is only a part. You will need to know how to keep your company running while you are waiting for the insurance company to write you a check. Customers understand that disasters happen, but they expect companies to have a contingency plan in place to lessen the disruption of service. 4. Not Running Drills: Employees need to be trained on what to expect if a disaster happens. If they have tasks to complete, they need to have that knowledge before an actual disaster occurs. Employees and their alternates should practice their tasks to make sure they fully understand how to execute them. Finding out in a drill that someone is unable to complete their task is much better than when an active event occurs. 5. Depending On A Phone Tree: Communication during a disaster is critical. Phone trees are notorious for failing a few levels in. You need to make sure you have a reliable communication plan in place. Put your employees, vendors, and important clients' contact information in your plan for easy access. Consider hosting your plan on a platform that offers a communication feature like the one in Stay in Business. 6. Over-Assigning DR Duties To Employees: If the same employee is given the majority of the tasks to do, your company’s recovery time will be slowed. Only assign tasks to the same person that they can reasonably complete. Assigning teams to a task can help alleviate this problem. While one person needs to be responsible for overseeing the task gets done, multiple people can help accomplish it. 7. Not Tracking When Tasks Get Done: During the confusion that can occur because of a disaster, keeping track of what has been done and what still needs to be started can be a hard job. Employee accountability for starting and completing their tasks can be simplified by a tracking system or checklist. The more you can automate your reporting needs, the easier the recovery will be. 8. Not Learning From Disaster: When your company has been restored to normal operations and the disaster declared over, your DR planning is not done. Now is the time to go over what happened and how you can improve your plan for the next event. No plan is perfect, but a well-thought-out plan, that is allowed to change when new information is presented, has a better chance of protecting your employees and assets. In the end isn’t that why you made a plan in the first place?
Benefits of a Disaster Recovery Plan [11] There are many benefits to having a disaster recovery plan, but the biggest benefit is the level of disaster preparedness one can only get by taking the time to make develop a plan. A backup and disaster recovery plan is designed to keep business going after a disaster. It’s really a matter of saving your business from the cost of downtime. Just know that the benefits of having a disaster recovery plan are more than just readiness. Here are a few reasons you should consider making a disaster recovery plan that you may not have considered.
- Asset and Inventory Management: The first part of a good backup and recovery plan is thorough documentation, which involves understanding equipment inventory. This is useful for identifying which pieces of equipment you have, which are extra but may come in handy, and which are completely superfluous. Any good IT administrator knows which equipment he or she has and where to find it. That way if there is a problem, whether small or large, spare equipment is quickly accessible. Good asset management also helps prevent employee theft, which can certainly happen at any organization.
- Network Management: How can you successfully manage a network if you don’t know everything about it? Detailed documentation as part of a good backup and recovery plan helps you clearly understand the way a network is functioning, which allows you to remedy issues quickly. So if there’s a simple problem like a busted router or something awful like a server failure, you can handle it. RMM tools are great for this because they can help you document networked equipment automatically. Still, there’s a physical aspect that you shouldn’t ignore. Taking photos of equipment set ups - particularly in server rooms or closest - can be useful as well.
- Task Redundancy: Part of your disaster plan involves making sure at least two people can do any one task. This keeps you covered in an emergency, but it doesn’t have to be a full on disaster for task redundancy to be useful. Have you ever had somebody leave on vacation, call in sick, or leave the company abruptly and on poor terms? This can cause huge problems if that person is the only one who can do a critical task. Not only that, but what about less critical tasks? As an example, suppose you need a person to perform a network diagnosis before you can fix something, but only that one person has the capability. If that person is too busy, it can create a bottle neck and you’re sitting around waiting. You could save time if only you could quickly do it yourself.
- Cost Savings: We mentioned that good documentation can result in better management, but it can also help you identify areas where you could be saving money, particularly if it’s time for a hardware upgrade. Why run three separate servers when you can run three virtual servers on one physical piece of equipment? Your eagle-eye view can help you see where the cost savings might be and where you might be able to go virtual or to the cloud.
- Ability to Test: How can you test a plan you don’t have? If you have a disaster recovery plan you can run through what would happen in various scenarios, which allows you to see your recovery in action. If you’re an IT provider, this also helps you establish trust with clients who can actually watch your test and see that you can deliver on any promises you’ve made.
- ↑ Definition of Disaster Recovery Plan ScienceDaily
- ↑ What is Disaster Recovery Plan Techopedia
- ↑ Scope and Objectives of a Disaster Recovery Plan Sans Institute
- ↑ Types of Disaster Recovery Plan (DRP) [1]
- ↑ Stages of a Disaster Recovery Plan Webopedia
- ↑ The Four Phases in Developing an Effective Disaster Recovery Plan (DRP) secure24
- ↑ Key Elements of a Disaster Recovery Plan (DRP) Kyle Cebull
- ↑ Developing Testing Criteria and Procedures for Disaster Recovery Plans Wikipedia
- ↑ Different ways to Review a Disaster Recovery Plan BerganKDV
- ↑ 8 Disaster Recovery Plan Mistakes Companies Make SIB/Amala
- ↑ Benefits of a Disaster Recovery Plan ACD Communications
Further Reading
- How Effective Is Your Disaster Recovery Plan? Forbes
- Information Technology Disaster Recovery Plan SOU
- Guidelines for Generating a Disaster Recovery Plan University of Arizona
- 10 Essential Steps to Developing an IT Disaster Recovery Plan That Works Cloed Endure
- 8 ingredients of an effective disaster recovery plan cio.com
- 7 things your IT disaster recovery plan should cover CSO Online
- The Importance Of A Disaster Recovery Plan Iron Mountain
Cloudian Products
The object storage buyer’s guide.
Technical/financial benefits; how to evaluate for your environment.
HyperIQ Observability & Analytics
Watch 2-min Intro
Evaluator Group Webinar
Skills Shortage? Ease the Storage Management Burden. Watch On-Demand
Scaling Object Storage with Adaptive Data Management
Get White Paper
Solutions
Industries , 2021 enterprise ransomware victims report.
Don’t Be a Victim
Scalable S3-Compatible Storage, On-Prem with AWS Outposts
Trending topic: on-prem s3 for data analytics.
Watch Webinar
Ransomware 2021: A Conversation with Veeam CISO Gil Vega
Hear His Thoughts
How a Private Cloud Addresses the Kubernetes Storage Challenge
Free White Paper
Data Security & Compliance: 3 ?s Every CIO Should Ask
Ask the Right ??s
5 Things Every MSP Should Know About Sovereign Cloud
Get Free eBook
TCO Report: NAS File Tiering
Learn how object storage can dramatically reduce Tier 1 storage costs
Get TCO Analysis
Satellite Application Catapult Deploys Cloudian for Scalable Storage
Replaces conventional NAS, saves 75%
Read Their Story
On-Demand Webinar
Veeam & Cloudian: Office 365 Backup – It’s Essential
Blog: How to Grow Your Storage and Not Your CAPEX Spend
Pay as you grow, starting at 1.3 cents/GB/month
Read the Blog
Why the FBI Can’t Stop Cybercrime and How You Can
Register Now
8 Reasons to Choose Cloudian for State & Local Government Data
Get 8 Reasons
Cloudian HyperStore SEC17a-4 Cohasset Assessment Report
Read the Assessment
Hybrid Cloud for Manufacturers
Tape: does it measure up, customer testimonial: university of leicester.
Hear from Mark
Public Health England: Resilient IT Infrastructure for an Uncertain Time
Watch On-Demand
How to Accelerate Genomics Data Analysis Pipelines by 10X
Hear from Weka
How MSPs Can Build Profitable Revenue Streams with Storage Services
Get IDC’s Take
Technology Partners
Get scalable storage on-prem for aws outposts.
Hear from AWS
Lock Ransomware Out with Commvault & Cloudian
Cribl stream with cloudian hyperstore s3 data lake, why object storage is best for advanced analytics apps in greenplum.
Explore Solution
Customer Video: NTT Communications
Hear from NTT
How to Store Kasten Backups to Cloudian
Klik.solutions delivers world-class backup-as-a-service with lenovo & cloudian.
Why They Chose Us
Modernize SQL Server with S3 Data Lake
Find Out How
How to Run Cloudian on OpenShift as a Container
Immutable object storage for european smbs from rnt rausch and cloudian, backup/archive to cloudian with rubrik nas cloud direct, on-premises object storage for snowflake analytics workloads.
Get the Details
Splunk, ClearShark, and Cloudian discuss Federal Industry Storage Trends
Teradata & cloudian: modern data analytics for hybrid and multi-cloud, 1-step to data protection: all you need to know about veeam v12 + cloudian.
Step up to Cloudian
Modernize Your Enterprise Archive Storage with Cloudian and Veritas
Read About It
Unified Analytics Data Lake Platform with Vertica and Cloudian HyperStore
Vmware cloud providers: get started in cloud storage, free..
Get Started
Weka + Cloudian: High-Performance, Exabyte-Scalable Storage for AI/ML
Customers , cloudian enables leading swiss financial institution to retain and analyze more big data.
Read Case Study
Indonesian Financial Services Company Replaces NAS With Cloudian
State of california selects storage-as-a-service offering powered by cloudian, cloudian provides utah state agencies with rubrik-compatible backup target, cuts costs by 75 percent, australian genomic sequencing leader accelerates research with cloudian, swiss education non-profit achieves scale and flexibility of public cloud on-prem with cloudian, indonesia ministry of education deploys cloudian object storage to keep up with data growth, leading german paper company meets growing data backup needs with cloudian, vox media automates archive process to accelerate workflow by 10x, wgbh boston builds a hybrid cloud active archive with cloudian hyperstore, large german retailer consolidates primary and secondary storage to cloudian, how a sovereign cloud provider succeeds in cloud storage services.
View On-Demand
IT Service Provider Drives Business Growth with Cloudian-based Offering
Calcasieu parish sheriff deploys hybrid cloud for digital evidence data, montebello bus lines mobile video surveillance with cloudian object storage, resources , storage guides , ransomware protection buyer’s guide.
Get Free Guide
Company
Cloudian named a gartner peer insights customers’ choice for distributed file systems and object storage.
Read Reviews
4 Disaster Recovery Plan Examples and 10 Essential Plan Items
What is a disaster recovery plan.
A disaster recovery plan defines instructions that standardize how a particular organization responds to disruptive events, such as cyber attacks, natural disasters, and power outages. A disruptive event may result in loss of brand authority, loss of customer trust, or financial loss.
The plan is a formal document that specifies how to minimize the effects of disaster scenarios, and help the organization minimize damage and restore operations quickly. To ensure effectiveness, organize your plan by the location and the type of disaster, and provide simple step by step instructions that stakeholders can easily implement.
Disaster recovery plan examples can be very useful when developing your own disaster recovery plan. We collected several examples of plans created by leading organizations, and a checklist of items that are essential to include in your new plan.
In this article:
- IBM’s Disaster Recovery Plan
- The Council on Foundations
- Micro Focus
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
- Hardware and Software Inventory
- Identify Personnel Roles
- List of Disaster Recovery Sites
- Remote Storage of Physical Documents and Storage Media
- Disaster Response Procedures
- Identify Sensitive Data
- Define a Communication Plan for Disaster Events
- Physical Facility Needs
- Run Disaster Recovery Drills
- Data Protection with Cloudian
4 Great Disaster Recovery Plan Examples
Each of these examples is also a template you can use to develop a disaster recovery plan for your organization.
For more background on how to build a plan from scratch, read our guide to disaster recovery plans
1. IBM’s Disaster Recovery Plan
Created by : IBM Pages : 13 Main sections:
- Major goals of a disaster recovery plan
- Application profile
- Inventory profile
- Information services backup procedures
- Disaster recovery procedures
- Recovery plan for mobile site
- Recovery plan for hot site
- Restoring the entire system
- Rebuilding process
- Testing the disaster recovery plan
Go to template
2. The Council on Foundations
Created by : The Council on Foundations Pages : 59 Main sections :
- Risks and Event Scenarios
- Plan Activation
- Responsibility and Delegation of Authority
- Incident Response Team (IRT)
- Incident Response Team Roles & Responsibilities
- Business Impact Analysis
- Recovery Activity Summary and Needs Assessment
- Vital Records
- Disaster Notification/Communications
- Personnel & Board Contact Information
- Building Evacuation
- Emergency Operations Center
- Business Recovery Locations
- Information Technology/Operations Preparedness
Download .PDF template
3. Evolve IP
Created by: Evolve IP Pages: 17 Main sections:
- Emergency Contact Form
- External Contacts
- Notification Network
- Disaster Management Team
- Network Team
- Server Team
- Applications Team
- Data & Backups
- Restoring IT Functionality
- Network Equipment
- Severity One System
- Plan Testing & Maintenance
- Recovery Completion Form
4. Micro Focus
Created by: Micro Focus Pages: 36 Main sections:
- Key Personnel Contact Info
- Plan Overview
- Financial and Legal Issues
- Technology Disaster Recovery Plan
- Suggested Forms
10 Things You Must Include in Your Disaster Recovery Plan Checklist
1. recovery time objective (rto) and recovery point objective (rpo).
A disaster recovery plan must make it clear what are your organization’s:
- RTO —the maximal time your organization can tolerate for recovering normal operations in case of a disaster (for example, recovery within 30 minutes, 2 hours, 12 hours)
- RPO —the maximal amount of data your organization can afford to lose (for example, an hour of data, 3 hours of data, one day of data)
2. Hardware and Software Inventory
For a plan to be effective, you must have a comprehensive, up-to-date inventory of your IT assets. Categorize them into the following categories:
- Critical —assets without which your business cannot operate
- Important —applications that are used at least once per day and can disrupt normal operations
- Unimportant —applications that are used less frequently than once per day
Ensure that your disaster recovery plan addresses all critical assets, and as many as possible of the important and unimportant assets, in that order.
3. Identify Personnel Roles
The plan should define who in the organization is responsible for disaster recovery processes, with their names and contact details. Critical responsibilities include:
- Ongoing backups and maintenance of business continuity systems
- Responsibility for declaring a disaster
- Responsibility for contacting third-party vendors
- Responsibility for reporting to management and liaising with customers, press, etc.
- Responsibility for managing the crisis and recovering from it
4. List of Disaster Recovery Sites
A disaster recovery plan must specify where the company’s assets are located, and where each group of assets will be moved if a disaster occurs. There are three types of sites:
- Hot sites —a fully functional data center with IT equipment, personnel and up to date customer data.
- Warm sites —a functional data center that allows access to critical systems only, without up-to-date customer data
- Cold sites —used to store backups of systems or data, but without the ability to immediately run operational systems
5. Remote Storage of Physical Documents and Storage Media
Most organizations have a large quantity of physical documents and/or storage media like DVDs, external hard drives or backup tapes, which must be protected in case of a disaster. Unexpected loss of this data can be detrimental to the business or result in compliance violations. Therefore, copies of all critical documents must be stored in a remote location.
6. Disaster Response Procedures
A key element of a disaster recovery plan is a documented procedure for responding to a catastrophic event. The first few hours of an event are critical, and staff should know exactly what to do to minimize damage to organizational systems, and recover systems to resume normal operations.
A DR procedure should include clear action steps, in simple and unambiguous language, including how to fail over to the disaster recovery site and ensure that recovery is successful.
Related content: Read our guide to disaster recovery policy
7. Identify Sensitive Data
All organizations maintain sensitive data, which may also be subject to compliance requirements, such as Personally Identifiable Information (PII), credit cardholder data, or other valuable data like intellectual property (IP).
A disaster recovery plan must identify how this sensitive data is securely backed, and who should have access to the original copy and the backups, both during normal operations and in the event of a disaster.
8. Define a Communication Plan for Disaster Events
When disaster strikes, a company must have a clear plan for delivering essential information to affected parties, including:
- Vendors and suppliers
- Compliance authorities
The communication plan should include elements like public relations (PR), communication on the company websites, and social media. When there is a clear channel of communication with stakeholders about an event, customers and other stakeholders will feel reassured and will be more likely to continue their relationship with the company.
9. Physical Facility Needs
In case of a physical disaster like a flood or earthquake, there will be a need to restore physical facilities. The disaster recovery plan should specify what is the minimal facility that will enable the company to restore normal operations—including office space, location, furniture needed, computing and IT equipment.
10. Run Disaster Recovery Drills
Disaster recovery plans might look great on paper, but fail when they are needed most. To avoid this from happening, run a drill and test your plan in a realistic scenario. Learn the lessons from the drill and update the plan to make it clearer and more effective for all parties involved. Disaster recovery plans must be updated at least once per year.
Protecting Data Effortlessly with Cloudian
If you need to backup data to on-premises storage, Cloudian offers low-cost disk-based storage with capacity up to 1.5 Petabytes. You can also set up a Cloudian appliance in a remote site and save data directly to the remote site using our integrated data management tools.
Alternatively, you can use a hybrid cloud setup. Backup data to a local Cloudian appliance, and configure it to replicate all data to the cloud. This allows you to access data locally for quick recovery, while keeping a copy of data on the cloud in case a disaster affects the on-premise data center.
Learn more about Cloudian’s data protection solution.
Get Started With Cloudian Today
Request a Demo
Join a 30 minute demo with a Cloudian expert.
Download a Free Trial
Try Cloudian in your shop. Run on any VM, even your laptop.
Receive a Cloudian quote and see how much you can save.
IMAGES
VIDEO
COMMENTS
Disaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. It employs policies, tools, and procedures.
A disaster recovery plan ( DRP) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster. [3] It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster". [4]
A disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan ( BCP ). It is applied to the aspects of an organization that depend on a functioning information technology (IT) infrastructure.
Disaster recovery planning involves strategizing, planning, deploying appropriate technology, and continuous testing. Maintaining backups of your data is a critical component of disaster recovery planning, but a backup and recovery process alone does not constitute a full disaster recovery plan.
A Disaster Recovery Plan (DRP) is a business plan that describes how work can be resumed quickly and effectively after a disaster. Disaster recovery planning is just part of business continuity planning and is applied to aspects of an organization that rely on an IT infrastructure to function.
A disaster recovery plan defines instructions that standardize how a particular organization responds to disruptive events, such as cyber attacks, natural disasters, and power outages. A disruptive event may result in loss of brand authority, loss of customer trust, or financial loss.