How to put together an IT disaster recovery plan

  • 26 Feb 2021

By Philip Bridge, President, Ontrack

Whether a data disaster is caused by an over-enthusiastic staff member clicking the wrong button or an ultra-sophisticated cyberattack, how you recover is key. While there is no such thing as a one-size-fits-all disaster recovery plan, most follow a similar framework:


Undertake a business impact analysis

It is important to detail the policies and procedures you need to follow in the event of a disruption. These processes will ensure that assets are recoverable to the right level and within the right timeframe to deliver a return to normal operations.

A good starting point is to undertake a thorough business impact analysis. It should identify important IT services needed for the business and the impact if interrupted. Further, it should cover the business need of the service regarding availability, recovery times, backup, data integrity and data confidentiality. For example, it may be unacceptable for factory production to cease for more than four hours, but HR systems being down for a similar time won’t impact the business nearly as much.


Agree to acceptable timeframes

You should provide each business process with a Recovery Time Objective (RTO), which is the timeframe agreed upon to get the business process/delivery operational again after an IT interruption.

Each process should then be given a Recovery Point Objective (RPO), which is the acceptable amount of data you can lose in an incident without being able to recover it to a previous “point in time”.

Finally, data integrity is a score regarding the demand that information stays intact, and data confidentiality is a score relating to the necessity that the information is not made available to others.

Talk to the team

When the need for important IT resources is identified, you next need to do an analysis to ensure you have the right level of robustness to support your business. The best way is to contact the individual responsible for each IT service in scope for the planning work and have an extensive discussion about the business need and what is covered in the service today. In the end, it is a business decision on what to have in place, including what risks the business is willing to take.


Formulate how to respond

Finally, you need to identify just how you will respond should one of your key systems fail. This part of the business continuity plan covers preparations to handle IT interruptions in an efficient way so that you can reduce the impact on the business.

For example, for if ransomware is detected on one of more of your company computers, the plan would outline the need to disconnect all ransomware-affected systems from the network; not to pay the ransom; not to try to decrypt the data by yourself; check that your backups are intact; and then to contact your data management provider to help get your data back.

Resilience for 2021

Businesses are increasingly focusing on resilience as a strategic objective to ensure that they not only survive but thrive. It is a case of keeping the lights on when disaster strikes. It goes beyond simple business continuity and disaster recovery planning, though. It should encompass an entire culture and practices.

In the age of digitisation, data is integral to every business; protect what is most dear. Implementing a proactive disaster recovery plan is like having an insurance policy for your business. Data loss can occur in any business system as a result of corruption, hardware failure or even simple human error.


This is not the time to put your head in the sand. One Gartner study determined that at least 25 per cent of businesses worldwide experience data loss every year. The risk of data loss is significant to any business: it impacts productivity, can lead to crippling fines and can negatively affect corporate reputation. Making the right decisions about how you can recover that data is more important than ever.


Related topics