Disaster recovery audit, maintenance and continuous improvement

Congratulations! Your IT disaster recovery planning project has reached its final stages. The previous stage was to draw up strategies for disaster recovery testing. Now it is time to map out plans for disaster recovery audit, maintenance and continuous improvement.

Your plans for disaster recovery audit, maintenance and continuous improvement will include the establishment of a process for keeping disaster recovery plans and associated activities up-to-date; auditing and reviewing plans to ensure they remain fit for purpose and consistent with applicable standards and management controls; and establishing a process for continuous improvement of the overall disaster recovery programme.

In this series of articles we’ve referenced a specific international standard, the “ISO/IEC 27031:2010, Information technology -- Security techniques -- Guidelines for information and communication technology (ICT) readiness for business continuity” standard.
This is the global standard for IT disaster recovery as it applies to end users. Another ISO standard, ISO/IEC 24762, addresses IT disaster recovery from a service provider perspective.

Now, when looking at preparation of disaster recovery audit, maintenance and continuous improvement strategies, ISO 27031 also provides some important recommendations.

It states:

Any change to ICT services which may affect the disaster recovery capability should be implemented only after the business continuity implications of the change have been assessed and addressed. To ensure that these strategies and plans remain appropriate for the organisation:

1. Senior management should ensure that business continuity and disaster recovery (BC/DR) strategies continue to support the organisation’s business continuity management (BCM) requirements;
2. The change management process should include all parties responsible for BC/DR strategies, both in their planning and implementation;
3. The development process for new ICT services should include sign-off that resilience has not been compromised by even the most simple of upgrades or improvements;
4. Due diligence on merger and acquisition activity should include a resilience assessment, and;
5. ICT component decommissioning should be reflected within a related BC/DR management system.

These provisions and others will be explored within this article.

Disaster recovery audit, maintenance and continuous improvement in the DR planning process

As noted in previous articles in this series, disaster recovery strategies and procedures help organisations protect their investments in IT systems and operating infrastructures. Disaster recovery’s principal mission is to return IT operations to an acceptable level of performance as quickly as possible following a disruptive event.

The image below depicts the IT disaster recovery life cycle and is adapted from the Business Continuity Institute’s Good Practice Guidelines 2010 version and ISO/IEC 27031. It shows where the disaster recovery audit, maintenance and continuous improvement fit into the overall disaster recovery lifecycle and framework. Continuous improvement is an ongoing activity that occurs at all points in the DR planning lifecycle, and can be implemented through effective programme management.

The IT disaster recovery lifecycle

Building a disaster recovery audit plan

Whether you use an internal audit department or an external auditing firm, be sure to periodically evaluate your disaster recovery programme to ensure it continues to be fit for purpose and compliant with industry standards and company policies. Here are ways to ease that process:

1. Define the internal audit plan for IT disaster recovery and document the criteria, scope, method and frequency of audits.
2. Ensure that only qualified auditors are appointed. Check to ensure that your audit firm has expertise in business continuity and disaster recovery.

3. Select auditors and conduct the audit to ensure objectivity and impartiality during the audit process.
4. Establish a procedure to ensure that deficiencies identified in an audit are corrected within an agreed-upon time frame.
5. Ensure that audits address internal and external organisations. So, for example, make sure to audit outsourcing vendors to ensure their capabilities support your organisation's disaster recovery strategies and plans.
6. Conduct an internal audit when there are significant changes to critical IT services, business continuity and/or disaster recovery requirements.
7. Have audit results documented and reported to senior management, who should review the audit results and support follow-up corrective actions.
8. Refer to the ISO 27031 to prepare for an audit by identifying the relevant audit issues.

Building a disaster recovery maintenance plan

When building a disaster recovery maintenance plan, be sure to secure senior management review and approval. Key activities for successful disaster recovery plan maintenance include the following:

1. Establish an ongoing plan maintenance schedule of activities. These will include risk assessments, business impact analyses (and updates to existing risk assessments and BIAs), plan reviews, plan exercises, contact list updates, and plan training and awareness activities.
2. You can build your maintenance programmes with something as simple as a spreadsheet; use the following headings as a starting point:
3. Coordinate disaster recovery maintenance activities with existing IT activities such as change management and hardware/software maintenance as well as with your help desk.
4. Document all maintenance actions, including when (date/time) maintenance was performed, summary of maintenance activities and approvals as needed.
5. Leverage existing internal resources, such as a Microsoft SharePoint collaboration space, to provide a secure repository for maintenance activities.
6. Generate periodic, (for example, quarterly) maintenance reports to management, highlighting the status of maintenance activities and issues that need to be addressed.

Building a continuous improvement capability

Once the disaster recovery project is completed, launch an ongoing process of continuous improvement. This process has ties to the “kaizen” philosophy of manufacturing, which encompasses activities to continually improve all manufacturing functions, involving all workers and all processes. When applied to disaster recovery, continuous improvement ties together the previously discussed disaster recovery audit and maintenance activities and leverages the results of both to introduce improvements to the process on an ongoing basis. As always, secure senior management authorisation when organising a continuous improvement programme.

Your organisation can continually improve disaster recovery and business continuity activities by monitoring the overall programme and applying preventive and corrective actions, such as periodic reviews of program performance, as appropriate. Be sure to maintain awareness of any changes in the business, such as merger or acquisition, and ensure that these changes are incorporated into the BC/DR plans and overall programme. It’s essential that your BC/DR programme accurately reflects the current state of your organisation and its operations.