Developing a disaster recovery plan usually begins with an impact analysis that identifies the functions an organization requires to operate and determines how long each function can be unavailable until it affects the organization to an unacceptable extent.
Understanding the impact of disaster helps you identify the objectives for the recovery plan.
The following are examples of objectives that may be in a disaster recovery plan:
The priority you assign your objectives depends on the needs of your organization. By setting clear, prioritized objectives for your disaster recovery plan, you can reduce your organization's exposure to risks and ensure that your critical systems and networks are available during disruptions.
You can use the two following approaches to create disaster recovery plans:
A general plan that is used any time a disaster occurs. A general plan should be flexible and is often impact driven rather than disaster driven (that is, based on the impact to your organization rather than the type of disaster). A general plan usually is based on assumptions that define the scope of each impact in the plan. A general plan is easy to maintain and convenient. However, because it may require that some decisions are made at the time of disaster (such as assessing the type of impact and determining the response), the beginning of recovery can be delayed.
Multiple smaller plans, each used for a specific disaster that your organization has determined is most likely to occur. For example, individual plans often are created for power outages, network outages, fires, floods, and other similar occurrences. Individual disaster-specific plans are easier to create than a general plan. It is often clear which plan should be used, so fewer decisions are required at the beginning of recovery, which can result in quicker recovery. However, which plan to use may not always be clear (for example, if a fire causes a power outage), and if a disaster occurs for which a plan does not exist, recovery may be slow to begin and difficult to achieve.
A disaster recovery plan should be easy to follow and not require interpretation. Do not include unnecessary detail. If the plan is implemented, it will be in a time of high stress and pressure to perform; therefore, it should be simple, specific, and well tested.
You should publicize your disaster recovery plan within your organization so that everyone knows about it, understands how it works, and understands the reasoning behind the decisions in the plan.