Business continuity and disaster recovery auditing

[1][2] The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable.

Although there is no one-size-fits-all plan,[5] there are three basic strategies:[3][5] The latter may include securing proper insurance policies, and holding a "lessons learned" brainstorming session.

Such list is made and periodically updated to reflect changing business practices and as part of an IT asset management system.

As such, a business continuity plan is a comprehensive organizational strategy that includes the DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur.

Controls and protections are put in place to ensure that data is not damaged, altered, or destroyed during this process.

Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster.

A good DR audit will include a review of existing MOA and contracts to ensure that the organization's legal liability for lack of performance in the event of disaster or any other unusual circumstance is minimized.

Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies are clearly written and tested.

A review of the readiness capacity of a plan often includes tasks such as inquires of personnel, direct physical observation, and examination of training records and any certifications.

The auditor must review procedures that take into account the possibility of power failures or other situations that are of a non-IT nature.