SNo

2
3

4
SNo

5
6
7
8

9
10

11
12
13
14
15
16
17

18
19
20
21

22

23
24

25
26

27
28

29
30

31
32
 Description
Disaster Recovery - DR Plan
Verify the DR Plan was approved by all appropriate parties.
Verify the DR Plan lists the resources and infrastructure needed to restore the business process and its supporting assets.

Verify the DR Plan lists the steps which must be executed in order to implement the business process' recovery.
Verify the DR Plan includes the business process recovery activities and service commitment requirements from third party
Suppliers of Service (includes both vendors and divisions providing support)
Description
Disaster Recovery - DR Test
Verify the DR Test objectives were approved by all appropriate parties and prior to the test.
Verify the most recent DR Test was executed on time according to the required test interval.
Verify the most recent DR Test results included documented test requirements and criteria for a successful test.
Verify the most recent DR Test results included user acceptance requirements, including the person(s) responsible for
declaring a successful test and that any deficiencies were documented.
Verify the most recent DR Test results included user sign-off acceptance of a successful execution of the DR Plan
Disaster Recovery - Can you demonstrate delivery against DR Contractuals and risk management of any delays /scope
changes etc
Disatster Recovery vs Contract
DR Test Objectives
DR Test assumptions
DR Test Results
DR Test issues tracking
DR Test solution

DR- Capacity Validation and formal review

1. validation as per the contract requirement to asses if Capacity requirement relate to having a DR setup.
2. Are capacity review done for production vs DR as per the the contract requirement.
3. Are the reports shared with customer and management?
DR- Drill validation
DR- Physical Access - risk communication for non managed client location for being below client standard
DR- Contract requirment for DR plan to be offsite. Has the specific authority defined for invoking the DR.
Ensure that adequate and effective contingency plans have been established to support the prompt recovery of crucial
enterprise functions and IT facilities in the event of major failure or disaster;
Ensure that all mandated disaster recovery, business continuity, and security requirements have adequate compliance
policies and procedures in place;
Ensure the survival of the business and to minimize the implications of a major enterprise and/or I T failure;
Ensure that all the potential risks to the enterprise and its IT facilities are identified and assessed in preparation of the
contingency plans;
Ensure the optimum contingency arrangements are selected and cost effectively provided;
Ensure that an authorized and documented disaster recovery / business continuity plan is created, maintained up-to-date,
and securely stored;
Ensure that the recovery plan is periodically tested for its relevance and effectiveness;
Ensure that all internal and external parties to the recovery process are fully aware of their responsibilities and
commitments;
Ensure that appropriate liaison is maintained with external parties (i.e. insurers, emergency services, suppliers, etc.);
Ensure that both the damaged and recovery sites are secure and that systems are securely operated in support of the
enterprise;
Ensure that systems and procedures are adequately and accurately documented to aid the recovery process; and
Ensure that public and media relations would be effectively addressed during an emergency in order to minimize adverse
publicity and busi+B1:I36ness implications.
Start Date End Date Evidences Observations Severity Status Remarks

Start Date End Date Evidences Observations Severity Status Remarks

Business Continuity Audit Program and Checklist

Area Sub Area Checklist

Developing Overview If a major disaster occurred today, has your
The Plan organization planned for survival?
Does your organization have a Business Continuity
Plan (BCP), and is it up to date?
Has senior management approved the BCP?
Does senior management support the BCP?
Has the cost of the BCP been determined, including
development and maintenance?
Have the initial audit, security, and insurance
departments reviewed the BCP?
Has the BCP been tested, including a surprise test?
Accountability Does your organization’s policy include a definition of
crisis?
Crisis management doc and team
Has the person responsible for critical systems and
business processes been identified?
Has a BCP Team been appointed, and does it include
senior business function leaders?
Has the BCP been communicated throughout the
organization?
Has a person been assigned with the responsibility to
update the BCP?
Risk Assessment Has your organization conducted a Risk Assessment?
(See ASIS International’s General Security Risk
Assessment Guideline at www.asisonline.org/guidelines/
guidelines.htm)
Have the types of risks that may impact your
organization been identified and analyzed?
Has the likelihood for each type of risk been rated?
Business Impact Have the critical business processes been identified?
Analysis
Have the business processes been ranked (low,
medium, high)?
If a crisis were to happen, has the impact, in terms of
human and financial costs, been assessed?
Have the maximum allowable outage and recovery time
objectives been determined?
Has the length of time your organization’s business
processes could be non-functional been determined?
Have the recovery time objectives been identified?
Have the resources required for resumption and
recovery been identified?
 Strategic Plans Have methods to mitigate the risks identified in the
Business Impact Analysis and Risk Assessment been
identified?
Have plans and procedures to respond to any incident
been developed?
Have strategies that address short and long term
business interruptions been selected?
Are the strategies attainable, tested, and cost effective?

Crisis Management and Is the Crisis Management Team comprised of members

Response Team from human resources?
Development
Have Response Teams to support the Crisis
Management Team been organized?
Have response plans to address the various aspects of
the crisis been developed and incorporated into the
organization’s overall BCP?
Do the response plans address damage assessment,
site restoration, payroll, human resources, information
technology, and administrative support?
Has contact information been included in the plan for
the Crisis Management and the Response Teams?
Prevention Compliance w/Corporate Have compliance audits been conducted to enforce
Policy & Mitigation BCP policy and procedures?
Strategies
Have the systems and resources that will contribute to
the mitigation process been identified, including
personnel facilities, technology, and equipment?
Have the systems and resources been monitored to
ensure they will be available when needed?
Avoidance, Deterrence, Are employees motivated to be responsible for
and Detection avoidance and deterrence and detection?
Have facility security programs to support avoidance
and deterrence and detection been established?
Have operational policy and procedures to protect the
facilities been developed?
Is it ensured that sufficient physical security systems
and planning are in place to protect the facility?
Response Potential Crisis Will the response program recognize when a crisis
Recognition and Team occurs and provide some level of response?
Notification
Have the danger signals been identified that indicate a
crisis is imminent?
Have personnel been trained to observe warning signs
of an imminent crisis?
Has a notification system been put in place, including
redundant systems?
Is the notification contact list complete and up to date?
Assess the Situation Has an assessment process to address the severity
and impact of the crisis been developed?
Has the responsibility for declaring a crisis, with first
and second alternates, been assigned?
Declare a Crisis Have the criteria been established for when a crisis
should be declared?
Has the responsibility for declaring a crisis been clearly
defined and assigned?
Has an alert network for BCP Team members and
employees been established?
Is it ensured that there is an alternate means of warning
if the alert network fails?
Have the activities that will be implemented in event of
a crisis been identified, including notification,
evacuation, relocation, alternate site activation, team
deployment, operational changes, etc?
Execute the Plan Has consideration been given to developing the BCP
around a ‘‘worst case scenario?’’
Has the BCP been prioritized to save lives, protect
assets, restore critical business processes and systems,
reduce the length of the interruption, protect reputation,
control media coverage, and maintain customer
relations?

Have the severity of the crisis and the appropriate

response been determined?
Communications Has a crisis communications strategy been developed?

Are communications timely, honest, and objective?

Are communications with all employees occurring at
approximately the same time?
Are regular updates provided, including notification of
when the next update will be issued?
Has a primary spokesperson and back-up
spokespersons been designated who will manage and
disseminate crisis communications to the media and
others?
Resource Management Has a system been devised by which all personnel can
– Human Element be accounted for quickly?
Is there a system to ensure current and accurate
contact information is maintained?
Have arrangements been made for next-of-kin
notifications?
Can crisis counseling be arranged as necessary?
Will the financial systems for payroll and support of
facilities and employees remain functional?
Resource Management Has a designated Crisis Management Center been
—Logistics identified, and does it have necessary life support
functions, including uninterruptible power supply and
communications equipment?

Resource Management Has the appropriate insurance coverage been identified
– Financial Issues and and obtained?
Insurance,Transportation
, Suppliers/Service
Providers, and Mutual
Aid
Recovery and Damage and Impact
Resumption Assessment, Process
Resumption, and Return
to Normal Operations
Implementing Education and Training
and
Maintaining
the plan
Have alternate worksites for business resumption and
recovery been identified?
Have critical and vital records been stored at an offsite
storage facility?
How long can each business function operate
effectively without normal data input storage processes?
What must be done to restore data to the same
previous point in time within the recovery time objective?
Can any alternate data storage processes be used,
after the initial data recovery, to speed the forward
recovery to the present time?
Are cash and credit available to the BCP Team?
Have transportation alternatives been arranged in
advance?
Have critical vendor and service provider agreements
been established?
Have mutual aid agreements been established?
If so, are they legally sound, properly documented, and
understood by all parties?
Has a damage assessment been performed as soon as
possible?
Has the Damage Assessment Team been mobilized to
the site?
Has business process recovery been prioritized to
recover the most critical business processes first?
Is the schedule of the processes to be restored in
accordance with the prioritization schedule?
Is there documentation of when the processes were
resumed?
Has the organization returned to normal operations?
Has the decision to return to normal operations been
documented and communicated?
Are the Crisis Management and Response Teams
educated about their responsibilities and duties?
Has a checklist of critical actions and responsibilities
and duties been developed?
 Do Teams receive annual training?
Testing Are the Business Continuity Plan and appropriate
Teams tested to reveal any weaknesses that require
correction?
Have goals and expectations of testing and drills been
established?
Are drills and tabletop exercises conducted on an
annual basis?
Has responsibility for testing the BCP been assigned
with consideration for establishing a test team?
Does test participation include various groups from the
organization and the public sector?
Have observers been assigned who will take notes
during the test and critique the test at the conclusion of
the exercise?
Have tests and drills been evaluated, including
assessing how well the goals and objectives of the tests
and drills were met?
BCP Review and Is the BCP regularly reviewed and evaluated on a
Maintenance Schedules predetermined schedule?
Is the BCP reviewed every time a Risk Assessment is
completed for the organization?
Is the BCP modified as needed based on test/exercise
results?
Has responsibility for on-going BCP maintenance been
assigned?
Does BCP maintenance reflect changes in the
operation of the organization?
Status Finding Notes

rto rpo
#1: Analysis of potential threats
#2: Areas of responsibility
#3: Emergency contact information
#4: Recovery teams
#5: Off-site backup of important data
#6: Backup power arrangements
#7: Alternative communications strategy If your company's phon
#8: Alternative site of operations
#9: Essential equipment/services backup
#10: Recovery phase The BCP should addre
If your company's phones and/or Internet connection are down, how will you keep in touch with customers, employees who ar

The BCP should address the step-by-step process of recovering and reinstating the business operations to a pre-disaster stat
customers, employees who are off-site, contact emergency services, etc.? Your BCP should note which employees have cell ph

erations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with insurance companies
which employees have cell phones and their numbers, as well as whether and where you have other methods of communicatin

ing with insurance companies, monitoring the progress of the recovery process, and transitioning the management of the busin
her methods of communicating during a widespread disaster, such as ham radios. If you run your own e-mail servers, do key e

the management of the business operations from the recovery team back to the regular managers.
own e-mail servers, do key employees have alternative e-mail addresses that they check regularly (home accounts or account
y (home accounts or accounts with Web-based e-mail services, etc.) and are these addresses known to other key personnel in
own to other key personnel in case they're needed for emergency contact?