** FREE PREVIEW VERSION **

[organization logo] Commented [EUGDPR1]: All fields in this document marked

by square brackets [ ] must be filled in.
[organization name]

Commented [GDPR2]: This plan is written for organizations

DISASTER RECOVERY PLAN where the recovery of IT infrastructure and IT services can be fitted
into a single plan.

For organizations that have complex IT infrastructure, or have

different RTOs for different IT systems, it might be better to
Code: develop separate Disaster Recovery Plans for different IT systems.
Commented [EUGDPR3]: To learn more about Disaster
Version: recovery plans, read this article:

Disaster recovery vs business continuity

Date of version: http://advisera.com/27001academy/blog/2010/11/04/disaster-
recovery-vs-business-continuity/
Created by: Commented [EUGDPR4]: The document coding system should
be in line with the organization's existing system for document
coding; in case such a system is not in place, this line may be
Approved by:
deleted.

Confidentiality level:

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
[organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcademy Basic document outline

Table of contents
1. PURPOSE, SCOPE AND USERS ..............................................................................................................3

2. ASSUMPTIONS / LIMITATIONS ............................................................................................................3

3. GENERAL INFORMATION .....................................................................................................................3

4. ROLES AND CONTACT INFORMATION ................................................ERROR! BOOKMARK NOT DEFINED.

5. AUTHORIZATIONS IN A CRISIS ...........................................................ERROR! BOOKMARK NOT DEFINED.

6. NECESSARY RESOURCES .................................................................... ERROR! BOOKMARK NOT DEFINED.

7. RECOVERY STEPS FOR THE IT INFRASTRUCTURE / IT SERVICES ............ERROR! BOOKMARK NOT DEFINED.

8. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT .........ERROR! BOOKMARK NOT DEFINED.

9. VALIDITY AND DOCUMENT MANAGEMENT........................................ERROR! BOOKMARK NOT DEFINED.

10. ADDITIONAL DOCUMENTS ............................................................ERROR! BOOKMARK NOT DEFINED.

Disaster Recovery Plan ver [version] from [date] Page 2 of 4

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
[organization name] [confidentiality level]

1. Purpose, scope and users

The purpose of the Disaster Recovery Plan is to define precisely how [organization name] will recover
its IT infrastructure, IT services and all data (including personal data) within set deadlines in the case
of a disaster or other disruptive incident. The objective of this Plan is to complete the recovery of IT
infrastructure, IT services and data within the set recovery time objective (RTO).

Users of this document are members of the top management and employees necessary for the
recovery of this activity.

2. Assumptions / limitations
In order for this plan to work, the following conditions must be met: Commented [EUGDPR5]: You can also add some other
assumptions – e.g. that at least 50% of the employees of the IT
department must be available after an incident.
 All the equipment, software and data are available as planned in [document]
Commented [EUGDPR6]: Specify the documents where these
 At the moment of an incident, the employees of the IT department have been transferred to resources were planned – e.g., Security Procedures for IT
the alternative site – this is the starting point for this Disaster Recovery Plan Departments etc.
Commented [EUGDPR7]: You can specify here some incidents
This plan does not cover the following types of incidents: that this plan would not be able to mitigate – e.g. larger
earthquake.

 * Commented [EUGDPR8]: Read also this article:

Disaster recovery site – What is the ideal distance from primary

site? http://advisera.com/27001academy/knowledgebase/disaster-
recovery-site-what-is-the-ideal-distance-from-primary-site/

3. General information Commented [EUGDPR9]: Recovery strategies could be, for

Location of the
alternative site /
recovery strategy
Recovery time objective:
Person responsible for
Disaster Recovery Plan
activation / means of
activation:
People who must be
notified about plan
activation / who is
responsible:
Person responsible for
deactivation of Disaster
* arrange a contract according to which an organization rents its
[job title] / oral or written
[list all job titles that must be notified]; responsible [job title]
[job title] / [oral or written] / [description of criteria]
example:
 alternative sites within the organization (e.g., if the
organization itself has other sites at its disposal);
 alternative sites that can be provided by an associate
organization (e.g., if there are organizations associated by
ownership that possess adequate alternative sites);
 reciprocal contracts (if there are organizations using the site of
the same or similar configuration and infrastructure, they can
site and infrastructure to another organization in the case of
disaster);
 alternative sites provided by specialized organizations (e.g.,
organizations which rent their facilities for the case of disaster,
but also hotels or, for example, educational institutions
equipped with ICT infrastructure);
 working at home or at some other remote location (such an
option is possible for activities that do not require access to
documentation, infrastructure, etc.)
Commented [EUGDPR10]: Define the maximum time within
which the IT and the data must be recovered.
Commented [EUGDPR11]: Usually the CEO.
Commented [EUGDPR12]: Usually all employees of the IT
department and the Data Protection Officer.
Commented [EUGDPR13]: Usually the Head of the IT
department.

Recovery Plan / means of Commented [EUGDPR14]: Usually the Head of the IT

department.
deactivation / criteria:
Commented [EUGDPR15]: The usual criteria is that all
conditions have been met to resume the provision of IT services to
the business users.
Disaster Recovery Plan ver [version] from [date] Page 3 of 4

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.
[organization name] [confidentiality level]

Key tasks / obligations / Commented [GDPR16]: Write here the obligation to recovery
the personal data, but also obligations you have towards other
SLAs that must be interested parties.
fulfilled and respective
deadlines:

Minimum capacity that is

required immediately
after the disaster:

Period after which the

normal operational level
must be resumed:

** END OF FREE PREVIEW **

To download full version of this document click here:

https://advisera.com/eugdpracademy/documentation/disaster-recovery-plan/

Disaster Recovery Plan ver [version] from [date] Page 4 of 4

©2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement.