Virtually no enterprise today would be able to function without its IT systems, Internet connections, supporting communication networks, data repositories, and overall IT infrastructure. However, those same IT systems could be subject to any of a wide range of failures, and the enterprise needs the facilities and resources in place to recover and restore IT operations in a prompt and orderly manner. In the early days, the IT systems data protection process was called disaster recovery planning with an emphasis then on the recovery of mainframe IT systems, applications, and data files.

With a focus on IT files and programs, enterprises have regularly established what have been called disaster recovery procedures for keeping backup versions of older files in secure locations along with processes for restoring those backup data files if some sort of disaster limited access to current versions. While earlier backup processes were often based on fairly simple systems configurations, today’s large-scale integrated and Internet-based systems have made backup and recovery much more complex. In the years up to the beginning of this century, internal audit often reviewed these procedures and found them to be weak. Processes for strong business continuity planning were often very limited and lacked adequate testing. However, despite frequent comments in many internal audit reports over the years, the issue often did not receive ...