DOCU-02

Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?

Explanation

This question is asking whether your organization has a formal, documented Disaster Recovery Plan (DRP) in place. A DRP is a structured approach that outlines how an organization will recover and restore its IT infrastructure and operations following a disaster or major disruption. The question specifically asks about three key aspects: 1. Documentation: Is the plan well-documented with clear procedures? 2. Ownership: Is there a designated person or team responsible for the plan? 3. Testing: Is the plan tested at least annually to ensure it works? This question is asked in security assessments because disasters (natural or man-made) can severely impact service availability and data integrity. Organizations without proper recovery plans risk extended downtime, data loss, and inability to meet contractual obligations or compliance requirements. A well-tested DRP demonstrates that an organization has thought through various disaster scenarios and has concrete steps to recover operations, minimizing the impact on customers and their data. To best answer this question, you should: - Clearly state whether you have a formal DRP - Identify who owns and maintains the DRP (title/role, not specific names) - Describe how often the DRP is reviewed and updated - Explain your testing methodology and frequency - Mention any standards or frameworks the DRP aligns with (e.g., ISO 27031, NIST SP 800-34) - If possible, provide high-level metrics from your most recent test (e.g., recovery time objectives achieved)

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Disaster Recovery Plan that is owned by our Director of Infrastructure and Security Operations The DRP is formally documented in our security management system and includes detailed procedures for various disaster scenarios including natural disasters, cyber attacks, and infrastructure failures The plan defines clear Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for all critical systems We conduct full DR testing annually, with the most recent test completed in March 2023, and tabletop exercises are performed quarterly Test results are documented, reviewed by our executive team, and any identified gaps are addressed through a formal remediation process Our DRP aligns with NIST SP 800-34 guidelines and is integrated with our broader Business Continuity Plan.

Example Response 2

Yes, we have a well-documented Disaster Recovery Plan that is maintained in our company wiki and reviewed quarterly The Chief Technology Officer serves as the DRP owner, with day-to-day management delegated to our Infrastructure Team Lead Our DRP covers all production systems and includes specific recovery procedures for our cloud infrastructure in AWS and Azure environments We conduct annual full-scale DR tests where we simulate a complete primary data center outage and activate our secondary region Our most recent test was conducted in November 2022, successfully achieving our 4-hour RTO and 15-minute RPO targets Additionally, we perform component-level recovery tests on a rotating monthly basis All test results are documented and reviewed during our quarterly security steering committee meetings.

Example Response 3

No, we currently do not have a formal Disaster Recovery Plan with regular testing While we do have some basic backup procedures in place and informal recovery guidelines, we recognize this is a gap in our security program Our organization is in the process of developing a comprehensive DRP, with our newly hired IT Operations Manager designated as the owner We have drafted initial documentation and expect to complete our first formal DRP within the next 90 days Once established, we plan to implement annual testing beginning in Q4 of this year In the interim, we mitigate risks through redundant cloud infrastructure, regular backups with test restores, and distributed architecture that provides some natural resilience against localized failures.

Context

Tab
Organization
Category
Documentation

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron