A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems.
The disaster recovery plan is reviewed at least annually.
The disaster recovery plan is tested periodically.
Specification
The DRP needs to differentiate steps to restore the IT systems' fucntionality within the RTO as needed (this can include using alternate IT systems of other organisations, having a warm/hot site). The DRP outlines steps to reach a more sustainable resolution of the crisis after initial recovery has occured.
Testing of the DRP can be done through tabletop exercises, simulations, parallel test or full interruption. It is recommended to test the DRP at least once every 2 years. A full parallel test or full interruption test is recommended at least once per 5 years.
ISO 27001 & 27002:2022
A5.5,
A5.6,
A5.29,
A5.30
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
BC.01 Bedrijfscontinuïteitsplanning
BC.05 Crisismanagement