A disaster recovery audit is a crucial part of ensuring the effectiveness of any disaster recovery (DR) program. The results of the DR audit will help your organization confirm that your plan and its various components are viable, up-to-date, and capable of meeting your business objectives. Here are the key elements:
1. Stakeholders
Every DR audit has a driving force behind it. It may be a major stakeholder, or a combination of them, that needs to assess a DR plan. Stakeholders can range from the ownership group of the entire business to just the managers or administrators of the IT infrastructure. Other stakeholders can include key service providers, customers, business partners, or equipment suppliers.
2. Standards
Most DR audits are assessed based on compliance to a recognized standard. ISO/IEC 24762:2008 is close to being a “universal” standard for DR. However, it is important to understand that the DR auditor’s interpretation of the standard should be flexible enough to accommodate the specifics of each situation.
For example, a standard DR audit needs to take into account certain variables, such as; what is the current state of the organization’s DR plan? Has it been in place long, or has it been recently established? DR auditors must also consider that different organizations have different inherent risk/exposure profiles. Some organizations may be at greater risk simply because of their site location. Other organizations may be using a handful of uniquely, critical applications, or facing pressing capital constraints that change the scope of their DR plans.
In other words, despite the existence of DR compliance standards, there is no “one size fits all” DR audit. There are no set standards dictating the risk appetite of key decision-makers or stakeholders. Organizations need to find a qualified and experienced DR auditor who understands this.
3. Scope
It is crucial that all parties agree on the scope of the DR audit. They must determine whether the audit takes into account the entire DR program, or whether it should focus exclusively on a specific element. For example, an organization may have decided to prioritize its DR investment by identifying tiers of service within its data center. If external/internal communications constitute the top tier of priority, then the DR audit might only cover that tier.
The scope of the DR audit may also take a longitudinal consideration. The audit may try to examine what has or what possibly will change the direction of the organization that may render the DR plan obsolete. The organization may want to determine whether it can maintain and sustain its DR plan over time, in order to keep it relevant and contemporary in light of newer, prevailing requirements.
Furthermore, the organization must decide whether the DR audit examines the impact of out-sourced systems and services. For example, do office environment systems – such as networked multi-function printers – fall outside the scope of the audit?
4. Scorecard (expected result)
An essential element of a DR audit is concise documentation of the status of the DR program, especially with respect to the program’s specific goals. A scorecard compares the current state of the program to the desired state of the program. Gaps, risks, and exposure issues, are identified, rated, and ranked individually.
The scorecard should rank aspects of the DR program based on prerequisites and immediacy. Then, the auditor groups the elements by priority into a time-sensitive “roadmap” indicating strategies for improvement. The scorecard should also clearly identify operational needs for the DR program, including business cases, budgets, and roles and responsibilities, as well as indicating how any special organizational project needs will affect the DR program.
5. Audit Method
The DR auditor might take a non-intrusive approach, similar to a review of a QA system for inspection or methods, or they may use a more intrusive methodology. The latter involves quite possibly more substantive testing and sampling of recovery procedures (e.g. overseeing a live test?). This also means inspection, interviewing, reviewing documents, and examining processes and technology.
6. Auditor
A DR auditor organizes, facilitates, assesses, mediates, and makes recommendations in a timely, cost-effective fashion. The auditor must have considerable DR planning experience, and must also possess excellent business and IT “domain and application” knowledge.
7. Follow-Up
The best DR auditors get involved in brainstorming, facilitation, and analysis of the DR program. They will follow up with the organization, accepting challenges and disagreements with their findings, and help them take action on any deficiencies or gaps.
For a DR audit to be effective, it must incorporate all seven of these elements. Of the seven, the auditor is the most essential part. Organizations want the work of their auditors to be above reproach, so that they can trust that the entire process and the results are accurate and comprehensive. Ultimately, a strong DR audit directly contributes to a DR plan that does the job in the event of a disaster.
