6.8: Auditing Disaster Recovery Planning and Disaster Recovery Plans

Question 1

Auditing Disaster Recovery Planning

Answer 1

• Determine the effectiveness of planning and recovery documentation by examining previous test results.
• Evaluate the method used to store critical information off-site Evaluate environmental and physical security controls in any off-site or alternative sites and determine their effectiveness. Determine if off-site or alternate site locations are within the same geographical region.

Question 2

Auditing Disaster Recovery Plans

Answer 2

• Obtain a copy of disaster recovery documentation
• Examine a copy of the distributed copies of DR documentation to see if they are up to date
• Determine if all documentations are clear and easy to understand
• Obtain contract information for off-site storage providers, hot-sites facilities and critical suppliers. Call some of them to see if they are still doing business with the organization.
• For organization using third-party recovery as cloud infrastructure providers, obtain contacts that define organization and cloud provider obligation.
• If cloud service provider is used to bring service as recovery site, examine the procedures used too bring cloud-based systems to operational readiness
• Determine whether backup off-site (or e-vaulting) storage procedures are being followed, if critical IT applications are being backed up and proper media are being stored off-site.
• Examine change control process