OR-15 IT Operations & Resilience

Disaster Recovery Plan

Recovery from major disruption is planned.

Domain: IT Operations & Resilience
Control type: Preventive
Automated / manual: Manual
Frequency: Annual
Framework reference: MAS TRM – Resilience; COBIT DSS04

What good looks like

DRP defines RTO/RPO, roles and recovery procedures for critical systems.

Risk if it fails

Unstructured recovery; extended downtime.

How Tess tests it

3 tests — each concludes only on cited evidence.

DRP documents RTO/RPO, roles, procedures

Design

Procedure: Inspect the DRP.
Expected: Complete.
Sample: 1 (design inspection)
Evidence: DRP document and approval.

DRP covers in-scope critical systems

Operating

Procedure: Inspect scope.
Expected: Critical systems covered.
Sample: 1
Evidence: DRP document and approval.

DRP current and approved

Operating

Procedure: Inspect approval/review.
Expected: Reviewed and approved.
Sample: 1
Evidence: DRP document and approval.

Evidence Tess looks for

DRP document and approval.

More in IT Operations & Resilience

OR-01 IT Governance & Oversight OR-02 IT & Information Security Policies OR-03 IT Risk Assessment OR-04 Asset & Configuration Management

Want Tess to test OR-15 against your evidence?