Audit and Assurance

Expand all | Collapse all

Application DRP preparation

  • 1.  Application DRP preparation

    Posted 14 Sep, 2019 09:54
    Dear professionals,
    When creating the DRP for a particular application (assumed it's confirmed to be a high priority asset to be recovered after BIA), it's been asked to prepare different scenarios like power outage, server down, connectivity problems,  .....
    Is there any checklist for the recovery procedures /points to cover in practice for reference?

    Or, we are planning to outsource an application service by a third party provider, what should be considered in terms of DRP aspect? That's what should particular capabilities should the third party provide so that we can select the correct provider? I know it should be considered together with the SLA, but not sure what could be checked for the third party to ensure they can provide expected service level and could be able to recover from disaster or incident.

    please share any thoughts, thanks a lot.


  • 2.  RE: Application DRP preparation

    Posted 16 Sep, 2019 06:05


    Great question! When preparing a DR Plan for a 'mission-critical application' the following are important to consider.

    1. What is the RTO of the process/activity it supports?
    2. Is RPO applicable?
    3. What are its dependencies? E.g. Power, network, infrastructure, people, other applications (peer level and sub-category)
    4. What are the threats and do a brief risk assessment?
    5. What are the alternative strategies to mitigate those risks?
    6. Select the best strategy that fits-for-purpose
    7. Prepare response and recovery plan
    8. Identify various roles in detecting, response, recovery, and resumption (who should do what)
    9. Distribute to selected staff, the draft plan and update on any valid feedback
    10. Finalise and socialise


    If there is a 3rd party responsible for the recovery of this critical application, you should ask for their DR Plan and ensure they have plans to bring up the application within the pre-defined time objectives. This should be tested periodicaly.


    Most importantly, the DR plan should be simple, easy to read and understand

    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.