How to Create a Disaster Recovery Plan

Disaster Recovery Plan

Business Continuity vs. Disaster Recovery    

While similar in nature and often confused, business continuity planning and disaster recovery planning are two distinctly different activities, and yet entwined. Disaster recovery is a significant component of continuity planning, but it would be short-sighted to replace a business continuity plan with a disaster recovery plan, and here’s why:  Business continuity (BC) deals with all of the essential business aspects, whereas disaster recovery (DR) is specific to the vital technology necessary to run business functions. The need for both can stem from natural- or human-induced disasters and are related — but not necessarily inclusive. For example, an incident related to a specific site or application may require disaster recovery for that site or application but no relocation of office staff or any other resources is necessary. If a large natural disaster impacts business for any given time, companies may activate both business continuity and disaster recovery plans.

Goals of a DR Plan

The primary goal of a disaster recovery plan is to ensure the recovery of applications and systems necessary to provide business functions in the event of a disaster or sustained outage. These operations are business-centric. Secondarily, DR plans enable business continuity. For BC plans to work, the underlying infrastructure must be in place to facilitate a return to operations. Disaster recovery should also ensure compliance and regulatory requirements in effect in a production environment remain in place during disaster recovery. A plan can be application- or site-specific or exist for the entire company.

Disaster Recovery Plan Methodology

Having a “plan for your plan” is essential to maintain standardization and repeatability. With disaster recovery plans, we highlight five key steps for creating and maintaining a DR plan: identify, define, document, test, repeat. All are critical elements of a successful DR approach.

1.     Identify


  •       Hardware, software, stakeholders for applications, systems, and workloads
  •       Network configurations
  •       Locations

Recovery strategy and sites

  •       Cloud, other corporate location, colocation space
  •       The 3-2-1 rule for your data

Businesses should rigorously assess all components necessary for normal operations when identifying assets and recovery strategies, including application owners and users, virtual or physical state and location, configurations, and vendor information. Recovery strategies are crucial to prevent confusion or delays during an actual crisis, and remember to protect your data in its new/temporary location.

2.     Define

Disasters by severity – risk assessment

  •       Nature and duration, by location
  •       What constitutes a disaster

Tiers for applications -1/2/3, etc.

Business impact analysis

  •       Financial
  •       Customers
  •       Employees

RTO/RPO for each application

Application owners and key players

Failover/failback plan

Response operations and crisis communications

By defining items, businesses remove ambiguity from a process. Clear definitions also allow for understanding what is essential and how applications and workloads affect different parts of an organization. Some geographic locations are also more susceptible to unique natural disasters than others, so keep that in mind while defining disaster response.

3.     Document

  •       Everything from the previous two stages
  •       Contact info, contractors, vendor information, call trees
  •       Recovery checklists
  •       Access control lists

Documentation is an essential part of any disaster recovery plan.  A critical thing to remember is to create all documentation with the mindset of the potential reader who knows nothing about your acronyms, vocabulary, slang, or common terminology. In addition, employees should update documentation regularly and during any moves, additions, changes, or deletions (MACD) happening within the organization.

Be sure to keep a copy of the plan offsite, preferably with your DRaaS provider, so that you can access it if your internal systems are unavailable.

4.     Disaster Recovery Testing


  •       Quarterly, annually
  •       As needed with new applications or systems

A disaster recovery test is critical to ensure success. You are testing the functionality of workloads. and the process, and flow of the plan itself. Have someone unfamiliar with the department or systems walk through the plan to verify its accuracy, identifying any gaps in the plan that might not be obvious to people familiar with the specific systems. 

5.     Refine/Revise/Repeat

Refine steps as necessary

  •       Did any actions not work?
  •       Were any gaps discovered?
  •       Were any systems missed?

Continue to revise and update regularly

  •       Employee turnover
  •       MACDs (move/add/change/delete)

Repeat the DR plan review

Disaster Recovery Plan Takeaways:

Disaster recovery plans are arduous to create and maintain but are crucial for businesses to guarantee success after extended outages or disasters. Some organizations have audit- or regulatory mandates regarding DR plans. 

Generally, DR plans should include input from every department and contain an inventory of all assets critical to business functions or business continuity. Tiering applications and workloads, and understanding the impacts of those systems, is key to directing efforts to reduce adverse effects during outages. This process also facilitates compliance and security should systems become unavailable.

Businesses should regularly test and revise DR plans based on their specific needs, maintain familiarity, and address any changes to the infrastructure before a disaster strikes. Download this free printable DR Plan Checklist to stay on track. 

Disaster Recovery as a Service


Submit a Comment

Your email address will not be published. Required fields are marked *