GASP: AICF

Search controls

Search by control ID, name or domain

BCM-002 Disaster Recovery Plan

Tier 2+

Description

A documented Disaster Recovery Plan (DRP) defines the procedures for recovering IT systems and services after a significant disruptive event. The DRP specifies recovery sequences, responsible roles, and technical procedures for restoring from backups or failover infrastructure. It is reviewed and updated at least annually.

Rationale

A BCP covers the business response to disruption; the DRP covers the technical restoration of systems. Both are required and serve distinct purposes.

Framework Mappings (4)

CSA CCM v4.1
BCR-09Disaster Response Planfull
ISO/IEC 27001:2022
5.30ICT readiness for business continuitypartial
NIST SP 800-53 Rev 5
CP-10System Recovery and Reconstitutionfull
SOC 2
A1.2Environmental Protections, Software, Data Back-Up Processes, and Recovery Infrastructurepartial

Evidence (2)

policymanual

Documented Disaster Recovery Plan defining recovery sequences, responsible roles, and technical restoration procedures for critical IT systems and services.

Example: Disaster Recovery Plan document (version-controlled, approved within last 12 months) including system recovery runbooks, failover procedures, and backup restoration steps for each critical service

Test: Request the current DRP. Verify: (1) recovery procedures are defined for each critical system; (2) roles and responsibilities are named with current contact information; (3) the plan references technical restoration procedures (backup locations, failover targets, recovery commands); (4) the document has been reviewed and approved within the last 12 months.

recordmanual

DRP review record showing the plan was formally updated following the last DR test or annual review cycle.

Example: DRP version history or change log showing last update date, reason for update, and approver sign-off — particularly confirming updates made after the most recent DR test

Test: Request the DRP version history and most recent review record. Verify: (1) the DRP was reviewed within the last 12 months; (2) lessons from the most recent DR test are reflected in the current version; (3) a named approver signed off the current version.

Questions (2)

boolean

Does your organisation have a documented Disaster Recovery Plan (DRP) that defines recovery sequences, responsible roles, and technical restoration procedures for critical IT systems and services?

The DRP is distinct from the BCP — it should contain specific technical runbooks for recovering each critical system from backup or failover infrastructure.

multi

What does the Disaster Recovery Plan include?

System-specific recovery runbooks for each critical serviceDefined recovery sequence and dependency orderNamed roles and current contact details for the DR teamReference to backup locations and failover targetsSpecific recovery commands or procedures (not just high-level guidance)Lessons from the most recent DR test incorporated into the current version

All six elements are expected in a production-grade DRP. A plan containing only high-level guidance without specific recovery procedures is insufficient for audit purposes.