Disaster Recovery Plan

IT DRP: how to plan recovery from a cyber crisis?

What is the IT DRP? How to set it up to ensure disaster recovery in the event of a computer failure or a cyberattack? Here is everything you need to know about the DRP, its definition and the usual stages of its implementation.

Published on 27 July 2021 (Updated on 17 June 2022)

The security of your computer systems does not only rely on your antivirus software. In 2021, cybersecurity challenges are so critical that you also need to consider the possibility that your protective measures are not sufficient. Your IT security also relies on you anticipating a possible shutdown of your IT infrastructure, whether because of a failure, a malware infection or a cyber attack.

The IT Disaster Recovery Plan, or DRP, details the procedures and technological resources your company would need to resume its strategic activities in the event of such a disaster. However, this useful tool requires you to master some ground principles. Here is everything you need to know about the DRP, its definition and the usual stages of its implementation.

What is the Disaster Recovery Plan?

The Disaster Recovery Plan, or DRP, enables the company to resume normal operations after a disaster. In the context of IT, this disaster generally involves a cybersecurity breach: loss, theft or disappearance of sensitive data, virus, cyberattack, cybercrime.

Definition of the Business Recovery Plan

In the context of IT, the DRP has several sub-goals toward a main goal which is safeguarding the sustainability of your company's activities. Those sub-goals are:

  • anticipating and mitigating the impact of any cybercrisis;
  • guaranteeing the protection of sensitive digital data in the event of a disaster;
  • ensuring the continuity of the structure's activities, in the face of the IT crisis;
  • Setting up a back-up system to resume critical IT applications.

The DRP is a document which lists all the processes your company has to put in place to maintain or rebuild the IT systems in the aftermath of a cyber crisis:

  • It indicates how and when to refer to the back-up system, provided for in the crisis management plan;
  • The Disaster Recovery Plan specifies which backup system to activate in order to ensure the security of confidential data;
  • It details how long each department can afford to be paralysed, namely the RTO, Recovery Time Objective ;
  • This document also determines the maximum acceptable data loss, or RPO (Recovery Point Objective).

Differences between DRP and BCP

The missions of BCP and DRP have evolved over time. Originally, the BCP, or business continuity plan, had to anticipate the impact of a disaster on the company. It also provided for measures to mitigate the negative consequences of crises. The DRP functioned like the BCP, but only dealt with IT issues.

Over time, the Business Continuity Plan and the Disaster Recovery Plan have both taken on more precise meanings. Each now has a specific role regarding the company's IT system.

What is BCP today?

The BCP now consists of a portfolio of procedures and resources that help to safeguard the continuity of the organisation's activities should a problem occur. Its objective is before anything else to avoid the interruption of IT systems and prevent operational disruptions. It must therefore be built in such a way that all of the company's IT structures remain available: networks, servers and data centers.

From a strict IT perspective, a distinction is made between the operational continuity plan which includes the company as a whole from the IT Continuity Plan, which specifically targets the procedures and resources to put in place to ensure the continuous operation of the information systems.

What does IT DRP mean today?

The Disaster Recovery Plan focuses on making sure the company's activity can be operational again. This means, in IT, backing up infrastructure. The plan is then activated when an obvious shutdown of the information systems happens. It must ensure the post-disaster reconstruction of the IT and the reboot of the applications which are the most critical to the company’s operation.

Its objective is to guarantee a satisfactory resumption of activity as soon as practicable, to reduce the financial consequences of the cyber crisis. This is why it has to rely on careful risk mapping to provide adequate back-up IT systems and ensure data redundancy. Data redundancy means saving the same data on different devices (phone, computer, external hard drive, digital drive, table…)

DRP compensates for financial consequences of IT shutdown

The IT Disaster Recovery Plan in CIO terminology

To summarise, Chief Information Officers (CIO) generally consider that the BCP describes the measures to ensure the continuity of the activity, while the DRP details the measures which guarantee the resumption of activity after an IT shutdown. The Disaster Recovery Plan is indeed activated when the infrastructure is unavailable.

In the event of a cyber attack, there are generally two execution scenarios for the DRP:

  • Either your company was prepared for IT crises, and had a BCP to mitigate the impact of the disaster. In this case, your company can reduce the RTO and RPO to a minimum and apply a “warm restart” of the applications. This is a quick restart of activities on one or more backup servers, all based on pre-disaster data saves.
  • Either your structure did not have a BCP, nor the technical means to execute an effective crisis management plan. Then, you have to do a “cold restart” afterward, that is to say several hours or days after the disaster. In this scenario it is a recovery based on the latest backups of the company. However, this cold procedure tends to disappear with the generalisation of cloud data storage.

When should you set up your IT recovery?

By definition, the DRP is only activated when the company suffers a real shutdown of its IT activities. If you want this IT recovery plan to perform well and enable you to quickly resume your activities, you must think it through well in advance of the actual onset of a cyber crisis. Allow an average of 3 months to design it. This is an indicative time frame, you might need more or less, depending on the size of your structure.

Once the cyberattack, computer failure or human error has been recorded at the expense of your infrastructure, the execution of your DRP should help minimise your operational downtime. The longer the recovery, the more the company’s financial results are jeopardised.

Advantages and disadvantages of the DRP

The main mission of the Disaster Recovery Plan is to ensure a rapid restart of your operations. A too long interruption has an impact on your reputation, and as a consequence, on your financial value. Moreover, if that one-off stop threatens the fulfillment of your regulatory and contractual obligations, you incur harmful legal consequences.

Nevertheless, setting up a DRP does come at a cost. Yet, it pays for itself if you take into account the harmful consequences that it prevents for the company in the event of a cyberattack or an IT failure:

  • alteration or disappearance of part of the sensitive data;
  • loss of turnover due to the shutdown of the IT systems;
  • bad reputation with customers, partners and investors;
  • legal risks.

The DRP relies on a third-party computer network and on data backups to ensure satisfactory IT operation. Like the BCP, the advantages of the Disaster Recovery Plan can only be appreciated if good practices are complied with. This is a plan that should be thought through and regularly tested. Its development takes time and a large budget to be effective.

Guarantee a recovery of critical activity

How to develop a DRP?

The implementation of the IT Business Recovery Plan can be broken down into several stages. In general terms, it is first of all a matter of writing specification notes that determine the critical IT applications for your structure. These applications are the ones which require an emergency “backup” in the event of an IT shutdown.

It is also a question of identifying which backup system you need to set up and which data backup model you opt for. Your DRP must also provide for regular update measures.

1 / Check the official recommendations for activity recovery

Depending on the sector of activity in which you operate, there are probably regulations and standards that govern the resumption of activity, including the methods of carrying out your DRP. The ISO 22301 standard thus organises business continuity management for a certain number of areas.

The banking and finance sector is particularly affected by this type of regulatory obligation. The Financial Conduct Authority (FCA), for example, states that approved companies specialising in portfolio management must have a DRP.

2 / Define responsibilities in carrying out the plan

The IT Disaster Recovery Plan will of course harness the skills of your CIO and your general management. More broadly, each department will have to participate in its development to determine which IT applications are essential to the proper functioning of the company.

In order to have a fluid and coherent DRP development, it may also be useful to appoint a person responsible for its implementation. They generally come from the IT department. Their role is to assess which infrastructures need to be backed up as a priority in the event of an IT shutdown, all of this after having consulted with the other departments.

Appoint a person in charge of the Business Continuity Plan

3 / Audit the IT systems before any cyber crisis

The inventory of IT tools essential to an effective recovery of activity focuses on several elements:

  • needs in terms of network, and in particular internet speed;
  • available servers;
  • software applications that are used on a daily basis;
  • automatic backups, especially their frequency and volume.

4 / Rank critical IT activities

The next step is to organise the applications according to their degree of criticality for the proper functioning of the company. In the day-to-day life of your organisation, some activities are less resilient to the unexpected shutdown of the IT than others.

You must rank these activities and the corresponding IT applications from most critical to least critical in order to define the effective scope of your Disaster Recovery Plan. You should also compare this criticality with the probability of the risks. This is a standard approach to managing risks and anticipating cybersecurity breaches.

This step also implies defining acceptable RTOs and RPOs for your business. In other words, it will be necessary to detail the maximum time of return to service that your structure can tolerate, as well as the maximum time when data is not recorded. Those are issues CIOs know well for they are directly related to the frequency of data backup.

5 / Provide a budget for the Disaster Recovery Plan

Designing and activating a DRP implies a cost centre, although it also contributes to prevent financial losses. The question of the budget dedicated to this Disaster Recovery Plan is however all the more central as it establishes the type of backup solution you need to favour, should IT activity be stopped.

For a reasonable budget, compare the expenses due to the DRP with those implied by a shutdown of your company’s IT operation.

6 / Specify the exact scope of your back-up IT solution

Once you have gathered all of this preliminary data, you still need to define which IT infrastructure will host your back-up applications. Many companies plan what they call a “backup site” for that, it is a second location equipped with the necessary IT infrastructure and a data replication system. This solution is interesting because it works according to a principle of reciprocity: both sites protect each other.

However, this is an expensive avenue. This is the reason why many organisations prefer resorting to a service provider that will grant them a remote infrastructure. The DRP on Cloud is therefore an option that is gaining ground, especially DRaaS (Disaster Recovery As A Service).

7 / Regularly test your DRP

Designing a Disaster Recovery Plan only makes sense if you take into account the new software acquired by your company along the way as well as corresponding updates. The backup applications and data replication procedures must also be regularly tested to verify their suitability regarding the upgrading of your IT.

You also need to make sure your Recovery Plan fits to the logistical habits of your human resources. It must be activated in accordance with your overall management plan in the event of a cyber crisis. This requirement can be part of the simulation exercises provided for in your cyber crisis management strategy.

3 questions About Disaster Recovery Plan (DRP)

The DRP, or Disaster Recovery Plan, comprises a set of documents detailing the steps to a back-up IT infrastructure setup. This must safeguard the usual course of business activities, following a one-off shutdown of the IT. This shutdown could be due to a cyberattack, a computer breach, human negligence, data loss or theft.

Disaster Recovery as a Service is a cloud backup solution provided by a third party: your data server is replicated on your service provider’s facility via the cloud, thus making it easy for you to recover the data you lost during a disaster. It is a simple solution that removes the need to develop a complex and thorough plan. Maintenance costs that come with a second site are also a thing of the past since you only have to pay for a subscription.

There are sectors for which an interruption of activity, even of one minute, means a real financial loss or danger for data integrity. In these sectors, a BCP is essential. Companies whose activities have a level of less criticality and who can afford longer downtime of the IT can settle for a DRP.