BIZOPS-6 Disaster Recovery Testing

What is BIZOPS-6 Disaster Recovery Testing Control?

BIZOPS-6 Disaster Recovery Testing control refers to the exercise of identifying the critical systems that need to remain operational and documenting a plan for recovering those systems in the event of a disaster. The plan must be tested to confirm its soundness. There are no specific requirements for what disaster recovery testing includes. This is left to the discretion of each organization. 

Due to the sensitive and disruptive nature of this testing, it is best to plan ahead and perform it during off-hours. The defined disaster recovery plan must be tested at least once a year.

Available tools in the marketplace

Tools

No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

• Best practice from NIST in testing a DRP

Control implementation

To implement this control,

At a minimum, perform a tabletop exercise with all interested parties, during which a full walkthrough of the recovery exercise should be discussed and documented in a ticket. Ensure the following are performed:

• Data recovery to confirm that backup data will be available in the event that the main database is unavailable

This should occur at least annually and must be documented in a formal way (ticket or Word document). The steps and results must be thoroughly documented.

Initiate a full interruption of critical systems and the recovery of each system. The time taken to recover the systems must be documented.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the meeting invite, agenda, and notes of the tabletop exercise.
2. Provide before and after screenshots of the data recovery, demonstrating that the data was recovered from one point to another.

Above and beyond: Provide documentation of the full interruption exercise.

Evidence example

For the suggested action, an example is provided below:

1. Provide documentation of the full interruption exercise.
   The following screenshot shows TrustCloud’s tabletop exercise with the date the exercise was completed, the test strategy, and the action items.
   
   
2. Along with the tabletop exercise, upload the data restore ticket. The ticket includes the restore strategy, the before and after, and the restore results.The following screenshot shows an example of a data restore ticket.