5.5. Evaluating Recovery Plans, Documentation, and Maintenance

In order to evaluate a recovery plan, you will need to obtain a copy that is intended to be used as the recovery plan for the business. It must be as complete a copy as available, and if the manual is divided up and distributed across several groups a consolidated manual may be required for you to conclude on the overall process. Ideally, this manual will be obtained from the designated EOC or location from where a recovery would be managed from, possibly a storage locker with the recovery media. The layout of a typical recovery manual was described earlier; let's dig into each section, describe the content, and what your expectations should be of them.

The introduction to the manual should state clearly what assumptions were made in the development of the manual so that the reader can quickly ascertain any gaps or discrepancies between the disaster they are trying to recover from and the one the manual was developed to address. Change logs and dates depicting the currentness of the documentation in hand also will be helpful in determining the usefulness of the documentation when comparing it to the existing emergency.

The initial steps of alerting management, ensuring the safety of the immediate personnel, and the declaring a disaster should be covered in the manual's introductory section. Activation criteria and procedures for mobilizing the recovery teams as well as formally declaring a disaster to people outside ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.