What is the Disaster Recovery control?
Strike Graph's default control language is: "A Disaster Recovery Plan is maintained and tested annually."
This language should be customized to reflect the specific process that your organization has defined. For example, if your Disaster Recovery Plan is reviewed at a different frequency, then you should update the control language to reflect that. It's important that your stated control description accurately reflects how your organization implements this control.
TIP! If your Disaster Recover Plan is included within your Business Continuity Plan, you can deactivate this control. Be sure to update the name of your Business Continuity Plan to Business Continuity and Disaster Recovery Plan.
Which framework is this for?
HIPAA, SOC 2, ISO 27001
Why is this control important?
Testing your Disaster Recovery Plan means that your organization will have practice should an event happen where data needs to be restored. This is a key element in ensuring that the business can continue in the event of a disaster or outage.
Who’s involved with this control?
Typical control owner: CTO
Typical parties involved: Application and software development teams
How often should I perform this control?
Typical Frequency: The disaster recovery plan should be tested and revised annually at a minimum, but in most organizations, this is an ongoing practice. When testing the effectiveness of your plan include a restoration test on your network.
How do I perform this control?
In smaller organizations, the best way to perform this particular control is to participate in a mock disaster recovery exercise. You can also test the ability to reinstate the normal infrastructure and identify if there was any data loss. This will put you in great shape when a disaster occurs.
Hot Tip: If there has been a need to restore data in the last 11 months, you might be able to use that real example as the test.