Objectives of a DR/BC Audit

On Tuesday, September 19, the Disaster Recovery and Business Continuity (DR/BC) Community of Practice (CoP) welcomed Paul Millis from Audit Services, who shared how an audit of a disaster recovery program is approached. The key takeaways from the presentation are below. The presentation slides and recording are accessible in the CoP group’s Google Drive.

Auditing Disaster Recovery and Business Continuity can be summarized as making sure that you create a plan, update your plan, train on your plan, and then test the plan.

The objective of a DR/BC audit is to evaluate the people, process, and technology components of the response (plan) to assess the likelihood that these plans will effectively protect critical assets in a real emergency. The benefits of an audit are that it will reveal gaps in your DR/BC planning and ensure that your plan is robust.

What criteria are used to audit DR/BC?

  • Adherence to Local policy and procedures.
  • Adherence to DS-12: Disaster Recovery Planning and Data Backup for Information Systems and Services.
  • Compliance with NIST Special Publications 800-34 (Revision 1) and 800-53 (Revision5).

What do auditors look for in a plan? A strategic approach to DR and BC that emphasizes a broad and comprehensive perspective on risk and preparedness. 

The DR/BC CoP meets bi-monthly to share information, challenges, and resources among those engaging in disaster recovery and/or business continuity planning efforts across the university. For information about upcoming meetings, join the MCommunity group or view the entire Michigan IT Community of Practice calendar.

Paul Millis, University Audits, co-authored this article.