Docy Child

BIZOPS-6 Disaster Recovery Testing

Estimated reading: 2 minutes 692 views

What is this control about?

The defined disaster recovery plan must be tested at least once a year. That’s where the Disaster Recovery Testing control comes in.

There are no specific requirements on what the testing includes. This is left to the discretion of each organization. The exercise of identifying the critical systems that would need to remain operational and documenting a plan for recovering those systems in the event of a disaster must be tested to confirm the soundness of the plan.

Due to the sensitive and disruptive nature of this testing, it is best to plan ahead and perform it during off hours.

Available tools in the marketplace

No tools recommendation for this section

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

Control implementation

At a minimum, perform a tabletop exercise with all interested parties during which a full walkthrough of the recovery exercise should be discussed and documented in a ticket. Ensure the following are performed:

  • Data recovery to confirm that backup data will be available in the event that the main database is unavailable

This should occur at least annually and must be documented in a formal way (ticket or word doc). The steps and results must be thoroughly documented.

Going above and beyond:

Initiate a full interruption of critical systems and recovery of each system. The time that it took to recover the systems must be documented.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

  • Provide the meeting invite, agenda and notes of the tabletop exercise
  • Provide the before and after screenshots of the data recovery demonstrating that the data was recovered from one point to another

Above and beyond: Provide documentation of the full interruption exercise

Evidence example

From the suggested action above, an example is provided below.

  1. Provide documentation of the full interruption exercise.

TrustCloud table-top exercise demonstrates the date the table-top exercise was completed, the test strategy and the action items.

Disaster Recovery Testing

Along with the tabletop exercise, upload the data restore ticket. The ticket includes the restore strategy, the before and after and restore results.

Disaster Recovery Testing



Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.