ISO 22301: How to create a disaster recovery plan

When a disaster strikes, there is often little time for planning a response, especially when the systems that are essential to your business operations are impacted. The GRC professional can and should play a leading role in addressing disasters.  

The role of the GRC professional must, however, start long before a catastrophe hits. They must plan, prepare and practice for an emergency.

A disaster recovery plan (DRP) is a documented, structured approach which includes how to respond to unplanned incidents. 

Business continuity and disaster recovery plans can provide a competitive advantage, especially as major businesses increasingly demand them as part of vendor selection processes. Without effective plans, businesses risk sanctions, fines, loss of customers, lawsuits and even going out of business. 

This step-by-step plan will help you build an effective disaster recovery plan using our GRC software


1) Audit your internal systems

Before you can do anything, you need to undertake exploratory audits to identify and review potential disasters. 

Develop a Business Impact Analysis (BIA) that identifies all critical functions, systems and applications, and outlines how a disruption to each of them will impact the business.


  1. Seek the input of all departments in the organisation to ensure that every issue is covered.
  2. Use Qualsys's Audit Manager to set up questionnaires for each area of your business and assign responsibility to each department head to collect the data you need. 

auditing software 4.png


2) Understand vulnerabilities, risks and opportunities  

Agree on how you will determine the impact of a risk and then conduct a risk assessment which details the potential ways they could damage your business. 

These may be:

  • Cyber attacks
  • Power outages
  • Natural disasters 
  • Human error

Document the risk of each of these occurring, the impact that they can have, and what will need to be recovered.

Risks include:

  • Loss of customers
  • Cost of downtime
  • Reduced productivity
  • Reputational damage
  • Recovery costs 

Tip: Use Qualsys's Risk Manager to collect risk data from across your business and associate each risk to audits, suppliers, documents, policies, incidents, etc. 

 risk management software.png

3) Control of external provisions

How exactly could your external providers impact your business? Do you have up-to-date contact information? Should you spread the risk by taking on multiple providers? 

All of the following may cause a disaster when you rely on a supplier:

  • Financial viability
  • Capability and capacity
  • Ethics assessment
  • Social responsibility
  • Process control
  • Sub-contractors 
  • EHS 
  • Change 

Assess the risk from each external provider and create contingency plans and exit strategies for the loss of suppliers that are critical to operations.

Tip: Use Supplier Manager to keep a central repository of: 

  • Contact details
  • Service level agreements / contracts 
  • Evaluation and re-evaluation criteria
  • Cost of poor quality
  • Real time dashboard
  • Routine supplier audit records 


4) Keep an asset register

Add all the information on the components of your assets and equipment in a detailed inventory.

Add all details about the assets, including:

  • the warranty expiration date
  • location
  • version number
  • installation or purchase date
  • latest updates of both essential
  • supporting equipment

It is also important to state objectives should there be an incident, for example: what is the recovery time objective? What would be the maximum tolerable downtime? 

Tip: Use Equipment and Asset Manager to manage equipment throughout its lifecycle. 


5) Risk analysis

Identify, assess and appropriately manage threats and vulnerabilities. 

Reduce any identifiable risks by setting up the appropriate supporting systems and strategies. These should include backups of data and the routine inspections of IT assets.

Ensure you can discover potential threats through measures such as antivirus software, network monitoring and staff training, and mitigate the damage through redundancies that protect critical data and applications.

 inspection management software.png

6) Document your DRP 

Your DRP should include a short-term plan that repairs and restores critical business processes, and a long-term plan that covers things such as root-cause analysis and long-term preventive strategy. 

You will need to make sure your DRP is kept up to date and will enable you to meet your recovery objectives. 

Tip: Use Document Manager to store files and share documents with the right groups or individuals.   

7) Train your employees

Who exactly is your disaster recovery team? What are their roles and responsibilities should an incident occur?

Part of your disaster recovery plan should be to make sure your employees have the necessary formal training should something happen. Then the training should be recorded in a central system they will be able to access. 

Communicate the plan to all of your staff and arrange formal training to ensure they understand and can fulfil their responsibilities under the DRP.

Training should be conducted on a regular basis and whenever any changes are made to the plan that will affect staff roles during the recovery.

Tip:  Training Record Manager enables you to maintain records, identify training needs and assign responsibility for tasks. 



8) Test your DRP 

While identifying the risk and creating a mitigation plan are important first steps, practice is also essential.

Undertake regular exercises to validate plan procedures will work as designed. This means you need to test your DRP on a regular basis to ensure that your plan is fit for purpose. 

Tests should assess all your procedures, identify opportunities for improvement, and ensure they are implemented. For example:

  • Test your emergency phone numbers 
  • Test your communications systems across the globe
  • Check all contact information is up to date
  • Make sure all communications templates and data are secured and backed up

Tip: Use the Incident Manager module to set off a test workflow to see the response and identify any issues. 



What you should do now

Want more information about business continuity? Learn how to use Qualsys's software for your disaster recovery planning (and more) by scheduling a demonstration or discovery  call here 

Schedule a GRC Software discovery call

Topics: Software, ISO 22301

Share your thoughts on this article