Disaster Recovery Plan

[Company Name]

Document Owner:
Effective Date:
Updated:

Disclaimer: This sample policy has been provided by Apptega, Inc. as a generic document to support the
development of your compliance program. It is unlikely to be complete for your organization without
customization. This is document is not legal advice and Apptega is not a registered CPA firm.
Disaster Recovery Plan
Version 1.0
[Updated Date]

[Company Name]
Disaster Recovery Plan
Effective Date: Document Owner:
Revision History
Revision Rev. Date Description Prepared By Reviewed By Date Approved By Date
1.0

1. Purpose................................................................................................................................................2
2. Scope...................................................................................................................................................2
3. Disaster Recovery Teams & Responsibilities........................................................................................3
3.1 Disaster Recovery Lead................................................................................................................3
3.2 Disaster Management Team........................................................................................................4
3.3 Network Team.............................................................................................................................4
3.4 Server Team.................................................................................................................................5
3.5 Applications Team.......................................................................................................................6
3.6 Operations Team.........................................................................................................................6
3.7 Senior Management Team..........................................................................................................7
3.8 Disaster Recovery Call Tree..........................................................................................................8
4. Data and Backups................................................................................................................................8
5. Communicating During a Disaster.......................................................................................................8
5.1 Communicating with Authorities.................................................................................................9
5.2 Communicating with Employees.................................................................................................9
5.3 Communicating with Customers..................................................................................................9
5.4 Communication with Vendors and Partners................................................................................9
6. Addressing a Disaster........................................................................................................................10
6.1 Disaster Identification and Declaration......................................................................................10
6.2 Disaster Recovery Plan Activation..............................................................................................11
6.3 Communicating the Disaster......................................................................................................11
6.4 Assessment of Current and Prevention of Further Damage......................................................11
6.5 Standby Facility Activation.........................................................................................................12
6.6 Restoring IT Functionality..........................................................................................................12

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

6.7 Plan Testing & Maintenance......................................................................................................12

6.8 Maintenance..............................................................................................................................12
6.9 Testing.......................................................................................................................................13
7. Related Standards, Policies, and Processes.......................................................................................13
8. Definitions and Terms........................................................................................................................14

1. Purpose
The Disaster Recovery Plan (DRP) captures all of the information that describes the
organization’s ability to withstand a disaster as well as the processes that must be
followed to achieve disaster recovery. In the event of a disaster, the first priority is to
prevent the loss of life. Before any secondary measures are taken, the organization will
ensure that all employees and any other individuals on the organization’s premises are
safe and secure.
After all individuals have been brought to safety, the next goal will be to enact the steps
outlined in this DRP to bring all organizational groups and departments back to
business-as-usual as quickly as possible. This includes:

 Preventing the loss of the organization’s resources such as hardware, data, and
physical IT assets
 Minimizing downtime related to IT
 Keeping the business running in the event of a disaster
This DRP also details how this document will be maintained and tested.

2. Scope
The DRP takes all the following into consideration:
 Network Infrastructure
 Server Infrastructure
 Telephone Systems
 Data Storage and Backup Systems
 Database Systems
 IT Documentation

This DRP does not take into consideration any non-IT, personnel, Human Resources, and
real estate related disasters. For any disasters not addressed in this document, refer to
the Business Continuity Plan.

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

3. Disaster Recovery Teams & Responsibilities

In the event of a disaster, different groups will be required to assist in the effort to
restore normal functionality to the employees within the organization. The different
groups and their responsibilities are as follows:

 Disaster Recovery Lead

 Disaster Management Team
 Network Team
 Server Team
 Applications Team
 Operations Team
 Senior Management Team
 <Other groups as necessary>
The lists of roles and responsibilities in this section have been created by the
organization and reflect the likely tasks that team members will have to perform.
Disaster Recovery Team members will be responsible for performing all of the tasks
below. In some disaster situations, Disaster Recovery Team members will be called upon
to perform tasks not described in this section.

3.1 Disaster Recovery Lead

3.1.1 The Disaster Recovery Lead is responsible for making all decisions related to
the Disaster Recovery efforts. This person’s primary role will be to guide the
disaster recovery process and all other individuals involved in the disaster
recovery process will report to this person in the event that a disaster occurs,
regardless of their department and existing managers. All efforts will be
made to ensure that this person be separate from the rest of the disaster
management teams to keep his/her decisions unbiased; the Disaster
Recovery Lead will not be a member of other Disaster Recovery groups in in
the organization.
3.1.2 The Disaster Recovery Lead will have the following roles and responsibilities:
 Make the determination that a disaster has occurred and trigger
the DRP and related processes
 Initiate the DR Call Tree
 Be the single point of contact for and oversee the DR Team
3.1.3 The following person will be the designated DR Lead:

Name Role/Title Work Phone Mobile Phone

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

3.2 Disaster Management Team

3.2.1 The Disaster Management Team will oversee the entire disaster recovery
process. They will be the team that will need to act in the event of a disaster.
This team will evaluate the disaster and will determine what steps need to be
taken to get the organization back to business as usual.
3.2.2 The Disaster Management Team will have the following roles and
responsibilities:
 Set the DRP into motion after the Disaster Recovery Lead has
declared a disaster
 Determine the magnitude and class of the disaster
 Determine what systems and processes have been affected by the
disaster
 Keep a record of money spent during the disaster recovery
process
 Ensure that all decisions made abide by the DRP and policies set
by the organization
 Create a detailed report of all the steps undertaken in the disaster
recovery process
 Notify the relevant parties once the disaster is over and normal
business functionality has been restored
 After the organization is back to business as usual, this team will
be required to summarize any and all costs and will provide a
report to the Disaster Recovery Lead summarizing their activities
during the disaster

Name Role/Title Work Phone Mobile Phone

3.3 Network Team

3.3.1 The Network Team will be responsible for assessing damage specific to any
network infrastructure and for provisioning data and voice network
connectivity including WAN, LAN, and any telephonic connections internally
within the enterprise as well as telephony and data connections with the
outside world. They will be primarily responsible for providing baseline
network functionality and may assist other IT Teams as required or
necessary.
3.3.2 The Network Team will have the following roles and responsibilities:

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

 If multiple network services are impacted, the team will prioritize

the recovery of services in the manner and order that has the
least business impact.
 If network services are provided by third parties, the team will
communicate and coordinate with these third parties to ensure
recovery of connectivity.
 Once critical systems have been provided with connectivity,
employees will be provided with connectivity in the following
order:
o All members of the DR Teams
o All remaining employees
 Install and implement any tools, hardware, software, and systems
required in the primary facility
 After the organization is back to business as usual, this team will
summarize any and all costs and will provide a report to the
Disaster Recovery Lead summarizing their activities during the
disaster.

Name Role/Title Work Phone Mobile Phone

3.4 Server Team

3.4.1 The Server Team will be responsible for providing the physical server
infrastructure required for the enterprise to run its IT operations and
applications in the event of and during a disaster. They will be primarily
responsible for providing baseline server functionality and may assist other IT
teams as required.
3.4.2 The Server Team will have the following roles and responsibilities:
 If multiple servers are impacted, the team will prioritize the
recovery of servers in the manner and order that has the least
business impact. Recovery will include the following tasks:
o Assess the damage to any servers
o Restart and refresh servers if necessary
 Install and implement any tools, hardware, and systems required
in the primary facility
 After the organization is back to business as usual, this team will
summarize any and all costs and will provide a report to the

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

Disaster Recovery Lead summarizing their activities during the

disaster.

Name Role/Title Work Phone Mobile Phone

3.5 Applications Team

3.5.1 The Applications Team will be responsible for ensuring that all enterprise
applications operate as required to meet business objectives in the event of
and during a disaster. They will be primarily responsible for ensuring and
validating appropriate application performance and may assist other IT
Teams as required.
3.5.2 The Applications Team will have the following roles and responsibilities:
 If multiple applications are impacted, the team will prioritize the
recovery of applications in the manner and order that has the
least business impact. Recovery will include the following tasks:
o Assess the impact to application processes
o Restart applications as required
 Install and implement any tools, software, and patches required in
the primary facility
 After the organization is back to business as usual, this team will
summarize any and all costs and will provide a report to the
Disaster Recovery Lead summarizing their activities during the
disaster.

Name Role/Title Work Phone Mobile Phone

3.6 Operations Team

3.6.1 The Operations Team’s primary goal will be to provide employees with the
tools they need to perform their roles as quickly and efficiently as possible.
They will need to provision all employees working from home with the tools
that their specific role requires.
3.6.2 The Operations Team will have the following roles and responsibilities:

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

 Ensure sufficient spare computers and laptops are on hand so that

work is not significantly disrupted in a disaster.
 If insufficient computers/laptops or related supplies are not
available, the team will prioritize distribution in the manner and
order that has the least business impact.
 After the organization is back to business as usual, this team will
be required to summarize any and all costs and will provide a
report to the Disaster Recovery Lead summarizing their activities
during the disaster.

Name Role/Title Work Phone Mobile Phone

3.7 Senior Management Team

3.7.1 The Senior Management Team will make any business decisions that are out
of scope for the Disaster Recovery Lead. Decisions such as constructing a new
data center, relocating the primary site, etc. should be made by the Senior
Management Team. The Disaster Recovery Lead will ultimately report to this
team.
3.7.2 The Senior Management Team will have the following roles and
responsibilities:
 Ensure the Disaster Recovery Team Lead is held accountable for
his/her role
 Assist the Disaster Recovery Team Lead in his/her role as required
 Make decisions that will impact the company. This can include
decisions concerning:
o Rebuilding of the primary facilities
o Significant hardware and software investments and
upgrades
o Other financial and business decisions

Name Role/Title Work Phone Mobile Phone

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

3.8 Disaster Recovery Call Tree

3.8.1 In a disaster recovery or business continuity emergency, the organization will
make use of a Call Tree to ensure that appropriate individuals are contacted
in a timely manner.
3.8.2 The Disaster Recovery Team Lead will call all Level 1 members.
3.8.3 Level 1 members call all Level 2 members over whom they are responsible.

Level Contact Office Work Phone Mobile Phone

Lead DR Lead
<Name>
1 DR Management Team
<Name>
1 Senior Management
Team
<Name>
2 Network Team
<Name>
2 Server Team
<Name>
2 Applications Team
<Name>
2 Operations Team
<Name>

4. Data and Backups

This section explains where all the organization’s data resides as well as where it is
backed up to. Use this information to locate and restore data in the event of a disaster.
The data below should be presented in order of criticality:

Rank Data Data Type Backup Frequency Backup

Locations
1 Network Drives
2 Customer Files
3 Administrative
Files

5. Communicating During a Disaster

In the event of a disaster, the organization will need to communicate with various
parties to inform them of the effects on the business, surrounding areas, and timelines.
The Communications Team will be responsible for contacting these parties.

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

5.1 Communicating with Authorities

5.1.1 The Communications Team’s first priority will be to ensure that the
appropriate authorities have been notified of the disaster, providing the
following information:
 The location of the disaster
 The nature of the disaster
 The magnitude of the disaster
 The impact of the disaster
 Assistance required in overcoming the disaster
 Anticipated timelines
5.1.2 The authority contacts are listed below:

Authorities Point of Contact Phone Number

Police Department Dispatch 911
Fire Department Dispatch 911

5.2 Communicating with Employees

5.2.1 The organization’s second priority will be to ensure that the entire company
has been notified of the disaster. The best and/or most practical means of
contacting all employees will be used on accordance with the DR Call Tree.
5.2.2 Employees should be informed of the following:
 Whether it is safe for them to come into the office
 Where they should work remotely if they cannot come into the office
 Which services are still available to them
 Work expectations of them during the disaster

5.3 Communicating with Customers

5.3.1 After all of the organization’s employees have been informed of the disaster,
the Communications Team will be responsible for informing clients of the
disaster and the impact that it will have on the following:
 Anticipated impact on service offerings
 Anticipated impact on security of customer information
 Anticipated timelines
5.3.2 Customers will be emailed, then called if email services are unavailable.

5.4 Communication with Vendors and Partners

5.4.1 After all of the organization’s employees have been informed of the disaster,
the Communications Team will be responsible for informing vendors of the
disaster and the impact that it will have on the following:

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

 Adjustments to service requirements

 Adjustments to contact information
 Anticipated timelines
5.4.2 Critical vendors or partners will be made aware of the disaster situation first
by email or telephone. Critical vendors are those outlined in the
organization’s Business Continuity Plan (BCP). All other vendors and partners
will be contacted only after all critical vendors and partners have been
contacted.

6. Addressing a Disaster
If a disaster occurs in the organization, the first priority is to ensure that all employees
are safe and accounted for. After this, steps must be taken to mitigate any further
damage to the facility and to reduce the impact of the disaster to the organization.
Regardless of the category the disaster falls into, dealing with a disaster can be broken
down into the following steps:

 Disaster identification and declaration

 DRP activation
 Communicating the disaster
 Assessment of current and prevention of further damage
 Repair and rebuilding of the primary facility

6.1 Disaster Identification and Declaration

6.1.1 Since it is almost impossible to predict when and how a disaster might occur,
the organization must be prepared to find out about disasters from a variety
of possible avenues. These can include:
 First hand observation
 Systems Alarms and Network Monitors
 Environmental and Security Alarms in the primary facility
 End users
 3rd Party Vendors
 Media Reports
6.1.2 Once the Disaster Recovery Lead has determined that a disaster has
occurred, she/he must officially declare that the company is in an official
state of disaster. It is during this phase that the Disaster Recovery Lead must
ensure that anyone that was in the primary facility at the time of the disaster
has been accounted for and evacuated to safety according to the company’s
evacuation procedures.

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

6.1.3 While employees are being brought to safety, the Disaster Recovery Lead will
instruct the Communications Team to begin contacting the Authorities and
all employees not at the impacted facility that a disaster has occurred.

6.2 Disaster Recovery Plan Activation

6.2.1 Once the Disaster Recovery Lead has formally declared that a disaster has
occurred, she/he will initiate the activation of the DRP by triggering the
Disaster Recovery Call Tree. The following information will be provided in the
calls that the Disaster Recovery Lead makes and should be passed during
subsequent calls:
 That a disaster has occurred
 The nature of the disaster (if known)
 The initial estimation of the magnitude of the disaster (if known)
 The initial estimation of the impact of the disaster (if known)
 The initial estimation of the expected duration of the disaster (if
known)
 Any other pertinent information
6.2.2 If the Disaster Recovery Lead is unavailable to trigger the Disaster Recovery
Call Tree, that responsibility shall fall to the Disaster Management Team
Lead.

6.3 Communicating the Disaster

6.3.1 Refer to Section 5 of this document for communication procedures.

6.4 Assessment of Current and Prevention of Further Damage

6.4.1 Before any employees from the organization can enter the primary facility
after a disaster, appropriate authorities must first ensure that the premises
are safe to enter.
6.4.2 The first team that will be allowed to examine the primary facilities once it
has been deemed safe to do so will be the Management Team. Once the
Management Team has completed an examination of the building and
submitted its report to the Disaster Recovery Lead, all additional teams will
be allowed to examine the building. All teams will be required to create an
initial report on the damage and provide this to the Disaster Recovery Lead
within 72 hours of the initial disaster.
6.4.3 During each team’s review of their relevant areas, they must assess any areas
where further damage can be prevented and take the necessary means to
protect the organization’s assets. Any necessary repairs or preventative
measures must be taken to protect the facilities; these costs must first be
approved by the Management Team.

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

6.5 Standby Facility Activation

6.5.1 The Standby Facility is outlined in the Business Continuity Plan. All staff will
work remotely from home if a new Primary Facility has not been secured.

6.6 Restoring IT Functionality

6.6.1 Should a disaster occur, and the organization needs to execute this plan, this
section will be referred to frequently as it will contain all of the information
that describes the manner in which the organization’s information systems
will be recovered.
6.6.2 The current system architecture includes the following:

Rank IT System System Components (in order of

importance)
1
2
3

6.7 Plan Testing & Maintenance

6.7.1 While efforts will be made initially to construct this DRP as completely and
accurately as possible, it is essentially impossible to address all possible
problems at any one time. Additionally, over time the Disaster Recovery
needs of the enterprise will change. As a result of these two factors this plan
will need to be tested on a periodic basis to discover errors and omissions
and will need to be maintained to address them.
6.7.2 The organization will test the Disaster Recovery Plan on the following
schedule:
 <Outline the testing frequency here>

6.8 Maintenance
6.8.1 The DRP will be updated annually or any time a major system update or
upgrade is performed, whichever is more often. The Disaster Recovery Lead
will be responsible for updating the entire document and is permitted to
request information and updates from other employees within the
organization in order to complete this task.
6.8.2 Maintenance of the plan will include, but is not limited to, the following:
 Ensuring that call trees are up to date
 Ensuring that all team lists are up to date
 Reviewing the plan to ensure that all of the instructions are still
relevant to the organization

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]


Making any major changes and revisions in the plan to reflect
organizational shifts, changes and goals
 Ensuring that the plan meets any requirements specified in new laws
 Other organizational specific maintenance goals
6.8.3 During the Maintenance periods, any changes to the Disaster Recovery
Teams must be accounted for. If any member of a Disaster Recovery Team no
longer works for the company, it is the responsibility of the Disaster Recovery
Lead to appoint a new team member.

6.9 Testing
6.9.1 <Company> is committed to ensuring that this DRP is functional. The DRP
should be tested every year in order to ensure that it is still effective. Testing
the plan will be carried out as follows:
6.9.1.1 Walkthroughs- Team members verbally go through the specific steps as
documented in the plan to confirm effectiveness, identify gaps,
bottlenecks or other weaknesses. This test provides the opportunity to
review a plan with a larger subset of people, allowing the DRP project
manager to draw upon a correspondingly increased pool of knowledge
and experiences. Staff should be familiar with procedures, equipment,
and offsite facilities.
6.9.1.2 Simulations- A disaster is simulated so normal operations will not be
interrupted. Hardware, software, personnel, communications,
procedures, supplies and forms, documentation, transportation, utilities,
and alternate site processing should be thoroughly tested in a simulation
test. However, validated checklists can provide a reasonable level of
assurance for many of these scenarios. Analyze the output of the
previous tests carefully before the proposed simulation to ensure the
lessons learned during the previous phases of the cycle have been
applied.
6.9.2 Any gaps in the DRP that are discovered during the testing phase will be
addressed by the Disaster Recovery Lead as well as any resources that he/she
will require.

7. Related Standards, Policies, and Processes

 Incident Response Policy
 Business Continuity Plan
 Vendor Management Policy
 Change Management Policy

CONFIDENTIAL
Disaster Recovery Plan
Version 1.0
[Updated Date]

8. Definitions and Terms

The following definitions are not all-inclusive and should be updated as new information
is made available:

Term Definition

CONFIDENTIAL