Crafting the Perfect IT Disaster Recovery Plan: 10 Must-Have Elements

By Frank D'Silva | February 9, 2022
Frank leads the Solutions Architects team at Ntiva, Inc. With a background in network security, Frank graduated from George Mason in 2007 with a B.S. degree in Information Technology.

The challenges of recent years have proven that every business needs an IT disaster recovery plan when things go wrong — which as we've learned, they will. It’s never too early to plan disaster recovery, and IT disaster recovery plans (IT DRPs) are essential for rescuing systems. With these things in mind, here is an IT disaster recovery plan template to help you prepare for the worst (so you can hope for the best with more confidence).

What is a disaster recovery plan?

A disaster recovery plan is a documented process detailing a disaster recovery strategy and a list of well-thought-out disaster recovery procedures, designed to help protect your business from expensive disasters.

For your disaster recovery plan template, we've outlined the 10 essential elements of a disaster recovery plan to help get you started!

Many businesses, for various reasons, think they don't need a disaster recovery plan (IT DRP), but one simple fact explains why the DRP is essential: the majority of IT disasters (big and small) are caused by human error.

Simply put, your employees are the number one reason why your organization needs to have an IT disaster recovery plan (also referred to as DRP or IT DR) in place.

It’s not that you need to guard against disgruntled workers sabotaging critical systems, although that does sometimes happen.

The more common risk comes from your people just being … people, clicking on a bad link, or opening a malware-infected file attached to an email.

Humans are fallible, so the disaster recovery planning process needs to pay special attention to your business’ most well-meaning but inevitably fallible asset. The DRP will minimize the risk of human error, helping to prevent hackers, viruses, or ransomware attacks from having an easy ride.

Other risks exist too, so your plan will need to mitigate against:

  • Hardware failures
  • Fire
  • Flood
  • Criminal acts
  • Power surge/outage
  • Natural disasters
  • Loss of communication systems

Before you jump into building the information technology side of your business continuity strategies, you need to have an idea of the most critical elements.

Let's get started — here are 10 essential elements to include disaster recovery planning.

1. Assessment

2. Strategy

3. Training

4. Response Teams

5. Backups

6. Metrics

7. Air Gapping

8. Encryption

9. Retention

10. Testing

Top Ten Essential Elements of a Disaster Recovery Plan (DRP) 

Disaster Recovery List


1. Do A Thorough IT Assessment and Inventory

In order to put a reliable disaster recovery plan into action, you first need to do a thorough inventory of your IT assets. This will include on-site hardware and software, and also all the cloud-based systems and services that your business operations rely on.

This assessment and risk analysis is generally conducted by your IT provider and, depending upon the size of your company and the complexity of business processes, your DRP assessment can take some time.

If the DRP assessment is not done or is incomplete, an organization may find it difficult to recover critical processes or data in the event of an IT disaster.

As part of your disaster recovery planning, a managed security service provider can play a key role in ensuring that your security and compliance requirements are being met, regardless of your industry.

2. IT Backup Management Strategy under the DR Plan

Once you've done a thorough assessment of your IT assets — data, systems, hardware, cloud — it's time to get to work on an IT disaster plan.

With disaster recovery planning, the formal strategy generation process begins when an IT engineer takes the information from the assessment and examines it to see what tools and tactics will work best for your scenario and business operations.

DR planning varies because every organization is unique in its reliance upon and use of data, applications, on-site assets, and cloud-based options.

The most cost-effective technology disaster recovery plan option for a business may be to migrate to the cloud instead of maintaining physical off-site data centers (known as disaster recovery sites) for DR plans.

These ironclad facilities have their own enterprise-level protections, so rest assured that the data center disaster recovery plan is your ultimate guarantee of safety within your own DR plan.

An internal disaster recovery site might be a better fit for the recovery strategy when companies have greater information requirements and aggressive recovery time requirements.

The strategy stage of the business continuity/disaster recovery (BCDR) process is where the IT specialists use their experience and expertise to fine-tune the recovery plan that will work for your business.

3. Proper Backup Management Requires Employee Training

In order to be effective, disaster recovery strategies must be championed by top management and adopted throughout the organization.

Each member of the management team and all staff must understand their role in keeping processes within the umbrella of protection provided by the IT disaster recovery plan.

If, for example, an employee decides to make their job "easier" by downloading software from the internet without talking to IT support, they are effectively taking a part of both the company’s data and its operations outside the protection afforded by business continuity planning and the disaster recovery plan.

As part of disaster recovery management, an organization must invest in training employees both in cybersecurity awareness and in their individual roles (the steps they should take) if disaster strikes.

4. Create Disaster Response Teams

Best practice for a disaster recovery plan includes having an emergency response team that determines to what extent the disaster recovery plan must be invoked.

Once the roles and responsibilities are assigned, this team then contacts and assembles the disaster recovery team that includes IT specialists as well as key staff from the main business departments who focus on business recovery.

It's critical to create and test the plan with disruption rehearsals in which delegated staff respond to disaster recovery plan examples. Practice makes perfect, and also embeds the subject into work culture so that nobody will ever ask “What is a disaster recovery?” ever again.

Under the disaster recovery policy, team members need to have the contact information of third parties including key customers, suppliers, insurance, media outlets, and even family members to respond in cases of natural disasters or personal injury.

The recovery plan template will also include a financial assessment that evaluates disaster-related costs and the cost of restoring normal operations.

5. Ensure Your Backups Include Data and Workflow

Perhaps the cornerstone of any IT disaster recovery plan is data backup to prevent data loss. However, it's important to note that not all backup solutions are created equal.

Something to consider when you create a disaster recovery plan is the knowledge that many consumer-grade and "business-lite" backup solutions only back up data files — not your entire system. Without access to BOTH your data and your applications and operating systems, your company could have trouble with restoration.

To prevent data loss and limit the risk to operations, Ntiva follows enterprise-class, image-based cloud backup procedures that mirror (back up) your entire system — not just individual files. That’s why it should be one of the highest placed items on your disaster recovery plan checklist.

As part of the IT disaster recovery plan template, we leverage the 3-2-1 rule of data backup to help make sure you always have a copy of your data available for retrieval from a recovery point.

Cybersecurity 3 2 1 rule

What is the 3-2-1 rule?

  • 3 copies of your data files, operating system, and applications
  • 2 types of storage media for your backups (We recommend one on-site backup appliance and one cloud-hosted backup destination.)
  • 1 offsite location for storage of backed up resources.

Under disaster recovery plans, your emergency backups need to be regular, automatic and verified at each stage of the backup process.

6. Know What Metrics to Consider in a Disaster Recovery Plan

One of the things you will discuss with your IT provider when setting up a disaster recovery plan is metrics. Questions may include:

  • What is the recovery time objective (RTO)?
  • What is the desired recovery point objective (RPO)?
  • How quickly can your team transition from the failed "live" system to the recovery solution?

Often, the question we get from business management is, "Can we get up and running within XXX hours?"

The answer to that RTO-related question is always, "Yes," but that "Yes" may come with a higher price tag.

Cost factors can inevitably affect your network disaster recovery plan. Whether or not an organization has migrated to the cloud, how often digital assets are backed up, and how quickly you need to restore normal operations, will all be reflected in the price.

With these metrics, it’s always wise to have a conversation about the costs versus benefits. Business disaster recovery is obviously crucial but there’s a sensible balance to be struck with any DR plan.

7. Ensure You're Using Air Gapped Backups

Ntiva procedures create air-gapped backups, keeping cybercriminals from jumping laterally from your live systems to your backups if they enter your network and instigate a disaster in the active data center.

We accomplish this by either having a separate backup that isn't connected to the network by LAN or we utilize a backup appliance running a different operating system (with different security access) than the one used by the server and devices on the network.

This ensures an organization can recover its data within the range of its RPO.

8. Backup Encryption is a MUST

Encryption of your backups is a critical step in keeping the information in your files and applications away from prying eyes.

When data is encrypted both in transit and at rest it is useless to a criminal. Although your team can retrieve and use the data, it appears as gibberish to any unauthorized user.

9. Know Your Backup Retention and Compliance Standards

Under recovery plans, part of the encryption conversation is compliance requirements.

Many of the industry-standard and legislative compliance protocols mandate data encryption. Disaster recovery plans detail the algorithm used for data encryption in the data center and recovery procedures to meet RTO and RPO targets.

Retention of files — especially email correspondence — is a big deal for companies in regulated industries. Part of any IT disaster recovery plan is the inclusion of policies and corresponding IT protocols that ensure that data retention expectations are met.

10. Plan for Disaster Recovery Testing Exercises

Recovery plans are only effective if people test them and everyone knows what their role is when the plan is enacted.

At least once a year, a "tabletop" testing exercise must be performed by your IT provider and key internal stakeholders to make certain that disaster recovery processes are working as they should and that everyone knows what to do in the event of an IT disaster.

Because disaster recovery plans are only as good as your staff can make them, each member of your recovery team should be involved in the testing each year and everyone should know what’s expected of them in the event of an actual IT disaster.

Answer questions for employees like:

  • Where to go?
  • How to log in?
  • Where to get instructions and information?

Your business disaster recovery plan should include all of these questions (and possibly many more). The answers should be easily accessible so that team members avoid chaos and lost time, and you avoid lost revenue.

Looking to set up or revise your company's Business Continuity and Disaster Recovery Plan? The Ntiva team is here to help. Let's get started.

New call-to-action

Tags: Managed IT