You’ve done the right thing by establishing a disaster recovery (DR) plan. Because of this, your organization has an excellent chance of saving its data and continuing operations when a disaster strikes. But the job’s not done yet. An effective DR plan requires vigorous testing and reviewing. This is where a DR audit comes into play.
What Is A DR Audit?
A disaster recovery audit is an independent review of your DR plan to make sure that it fully meets your organization’s needs on an ongoing basis. A DR audit collects and thoroughly evaluates evidence of your organization’s DR plans, practices, systems, procedures, and operations.
The disaster recovery audit reveals whether parts of your DR plan are incomplete, or are lacking procedures or documentation, or aren’t properly tested. In other words, the disaster recovery audit is a necessary final stage in confirming that your organization is prepared to respond to unforeseen events, and that it can minimize the severity and long-term impacts of any such events.
The DR audit needs to be conducted by an auditor who is a knowledgeable outsider to the situation and completely unbiased. This means that your DR auditor should not be one of your current or future stakeholders. Third party attestation eliminates any possibility of internal bias skewing the results of the audit.
Your third party DR auditor should have the appropriate professional credentials, and they should perform their independent review according to generally followed industry practices or standards. Through these standards, your DR auditor can assess your DR plan’s conformity and ultimately deliver a point-in-time “certification” and potential registration on the basis of meeting or exceeding those standards.
When Should You Call A DR Audit?
There are many reasons to conduct a DR audit aside from statutory or regulatory compliance. For example, when an organization’s management or ownership changes hands, a DR audit usually constitutes part of the due diligence process. New management should be vitally interested in the status of the organization’s DR plans.
A DR audit enhances the value of an organization. Potential customers sometimes request a DR audit in order to minimize the risks in a new business arrangement. A DR audit may be required by new regulatory or trade association compliance standards, such as the Financial Industry Regulatory Authority (FINRA), the Health Insurance Portability and Accountability Act (HIPAA) or the Investment Dealers Association of Canada (IDA).
Furthermore, depending on whether your organization may be tied to the government sector, you may be subject to a statutory DR audit request stemming from policies such as the Federal Information Security Management Act (FISMA) in the U.S. or the Treasury Board directive in Canada.
Of course, the most compelling reason to undertake a DR audit is to discover any specific organizational vulnerabilities to a potential threat or incident. Whatever the reason for undertaking a disaster recovery audit, it’s important to be aware that it is an essential part of doing business today, and that it can deliver value to your organization that far exceeds its costs.
